About Us | Contact Us

 


 

VUPEN Free Resources
 
  VUPEN Security Advisories
 
  VUPEN Security Blog & News
  Zero-day Attacks Monitor
  Daily Security Mailinglist
  Explanation of Terms
  Advanced Search Engine
 
   

HTML-Parser "decode_entities()" Function Denial of Service Vulnerability

VUPEN ID VUPEN/ADV-2009-3022
CVE ID CVE-2009-3627
 
CWE ID Available in VUPEN VNS Customer Area
CVSS V2 Available in VUPEN VNS Customer Area
Rated as Low Risk 
Impact Available in VUPEN VNS Customer Area
Authentication Level Available in VUPEN VNS Customer Area
Access Vector Available in VUPEN VNS Customer Area
Release Date 2009-10-26
Share Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

A vulnerability has been identified in HTML-Parser, which could be exploited by attackers to cause a denial of service. This issue is caused by an infinite loop in the "decode_entities()" [util.c] function when processing malformed HTML entities, which could allow attackers to crash an affected application via specially crafted HTML data.

Affected Products

HTML-Parser versions prior to 3.63

Solution 

Upgrade to HTML-Parser version 3.63 :
http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/HTML-Parser-3.63.tar.gz

References

http://www.vupen.com/english/advisories/2009/3022
http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225

Credits 

Vulnerability reported by Mark Martinec.

Changelog 

2009-10-26 : Initial release

Feedback 

If you have additional information or corrections for this security advisory please submit them via our contact form.
 

Monthly Statistics 

 

 VUPEN Security Advisories By Criticality: Aug 2010


  Critical Risk

 : 0%

  High Risk		 : 0%

  Moderate Risk		 : 0%

  Low Risk		 : 100%

Get a real-time view of the vulnerabilities affecting your systems using the VUPEN VNS reporting capabilities.
 
 

Try VUPEN VNS 

 

 





© 2004-2010 VUPEN Security - Copyright - Privacy Policy