CVE-2009-4142

Published: 21 December 2009

The htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character.

Priority

Status

Package	Release	Status
php5 Launchpad, Ubuntu, Debian	dapper	Released (5.1.2-1ubuntu3.18)
	hardy	Released (5.2.4-2ubuntu5.10)
	intrepid	Released (5.2.6-2ubuntu4.6)
	jaunty	Released (5.2.6.dfsg.1-3ubuntu4.5)
	karmic	Released (5.2.10.dfsg.1-2ubuntu6.4)
	upstream	Released (5.2.12)
	Patches: upstream: http://svn.php.net/viewvc/?view=revision&revision=289411 upstream: http://svn.php.net/viewvc/?view=revision&revision=289554 upstream: http://svn.php.net/viewvc/?view=revision&revision=289565 upstream: http://svn.php.net/viewvc/?view=revision&revision=289567 upstream: http://svn.php.net/viewvc/?view=revision&revision=289605 upstream: http://svn.php.net/viewvc/?view=revision&revision=291821 upstream: http://svn.php.net/viewvc/?view=revision&revision=292575

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›