PHP default_charset is none

By
Sooraj V Nair
Published on
02 May 2022
Vulnerability

The newer PHP versions from version 5.6 have set default_Charest as UTF-8. There are many servers using PHP default charset as empty. The default character encoding is used for encoding and decoding HTML entities, HTML special character functions. The value of default_charset will also be used to set the default character set for iconv functions encoding and decoding. Setting default_charset to an empty value is not recommended. This encoding affects htmlentities(), html_entity_decode() and htmlspecialchars(). This is also used for iconv functions too.

Impact

Using this vulnerability, an attacker can:-

  • manipulate HTTP server-side settings.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Try to use UTF-8 in charset declarations.
  • Make sure the web application is using a whitelist of accepted charsets if the application wants to control the charset.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.