PHP Security: how can encoding be misused?

Question

From this excellent \"UTF-8 all the way through\" question, I read about this:

Unfortunately, you should verify every submitted string as being valid

Answer 1

Seems like this is a complicated attack. Checking the docs for mb_check_encoding gives note to a "Invalid Encoding Attack". Googling "Invalid Encoding Attack" brings up some interesting results that I will attempt to explain.

When this kind of data is sent to the server it will perform some decoding to interpret the characters being sent over. Now the server will do some security checks to look for the encoded version of some special characters that could be potentially harmful.

When invalid encoding is sent to the server, the server still runs its decoding algorithm and it will evaluate the invalid encoding. This is where the trouble happens because the security checks may not be looking for invalid variants that would still produce harmful characters when run through the decoding algorithm.

Example of an attack requesting a full directory listing on a unix system :

http://host/cgi-bin/bad.cgi?foo=..%c0%9v../bin/ls%20-al|

Here are some links if you would like a more detailed technical explanation of what is going on in the algorithms:

http://www.cgisecurity.com/owasp/html/ch11s03.html#id2862815

http://www.cgisecurity.com/fingerprinting-port-80-attacks-a-look-into-web-server-and-web-application-attack-signatures.html