A flaw in how PHP handles decoding UTF8 sequences was reported [1], [2]. A number of attack scenarios are mentioned there that permit malformed UTF8 sequences to bypass intended XSS protections. This issue has been assigned the name CVE-2010-3870 and was fixed in PHP 5.3 [3], although it looks as though parts of the issue were fixed in the 5.2.11 release. [1] http://bugs.php.net/bug.php?id=49687 [2] http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html [3] http://svn.php.net/viewvc/?view=revision&revision=304959
Created php tracking bugs for this issue Affects: fedora-all [bug 649186]
Fixed on 5.2 branch now: http://svn.php.net/viewvc?view=revision&revision=305055
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0919 https://rhn.redhat.com/errata/RHSA-2010-0919.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0195 https://rhn.redhat.com/errata/RHSA-2011-0195.html