Vigil@nce: Perl, denial of service via UTF-8
October 2009 by Vigil@nce
An attacker can use some UTF-8 characters, in order to stop
applications using Perl.
Severity: 1/4
Consequences: denial of service of service, denial of service of
client
Provenance: document
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 26/10/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Perl language tags variables which are potentially dangerous
by "tainting" them.
When a tainted string, containing a UTF-8 character whose value is
superior to one million, is used in a regular expression, an error
occurs. This error stops the Perl program.
An attacker can therefore use some UTF-8 characters, in order to
stop Perl applications.
CHARACTERISTICS
Identifiers: 69973, CVE-2009-3626, VIGILANCE-VUL-9121
http://vigilance.fr/vulnerability/Perl-denial-of-service-via-UTF-8-9121