^{CVE-2020-7067:}Buffer Over-read Vulnerability in PHP's urldecode() Function on EBCDIC Systems

Overview

The vulnerability affects PHP installations that are specifically compiled with EBCDIC (Extended Binary Coded Decimal Interchange Code) support, which is relatively uncommon. Most modern systems use ASCII or Unicode encoding, making this vulnerability's impact limited to specialized environments. When exploited, the vulnerability in the urldecode() function allows attackers to potentially read data outside the boundaries of allocated memory by manipulating input parameters. This could lead to information leakage or denial of service conditions if the application crashes due to accessing invalid memory.

Remediation

To address this vulnerability, users should upgrade their PHP installations to the following patched versions:

• For PHP 7.2.x: Upgrade to version 7.2.30 or later
• For PHP 7.3.x: Upgrade to version 7.3.17 or later
• For PHP 7.4.x: Upgrade to version 7.4.5 or later

If immediate upgrading is not possible, consider implementing the following mitigations:

1. Avoid using the urldecode() function with untrusted input
2. Apply input validation before passing data to urldecode()
3. Consider using alternative URL decoding methods if available
4. Monitor for unusual application behavior or crashes that might indicate exploitation attempts

References

1. PHP Bug Tracker: https://bugs.php.net/bug.php?id=79465
2. NetApp Security Advisory: https://security.netapp.com/advisory/ntap-20200504-0001/
3. Debian Security Advisory DSA-4717: https://www.debian.org/security/2020/dsa-4717
4. Debian Security Advisory DSA-4719: https://www.debian.org/security/2020/dsa-4719
5. Oracle Critical Patch Update Advisory - October 2020: https://www.oracle.com/security-alerts/cpuoct2020.html
6. Oracle Critical Patch Update Advisory - April 2021: https://www.oracle.com/security-alerts/cpuApr2021.html
7. Tenable Security Advisory TNS-2021-14: https://www.tenable.com/security/tns-2021-14