[UNIX] PHP strip_tags() bypass vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 07/14/04

  • Next message: SecuriTeam: "[NEWS] 4D WebSTAR Multiple Vulnerabilities"
    To: list@securiteam.com
    Date: 14 Jul 2004 10:50:27 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PHP strip_tags() bypass vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    PHP is "a widely-used general-purpose scripting language that is
    especially suited for Web development and can be embedded into HTML".

    According to Security Space PHP is the most popular Apache module and is
    installed on about 50% of all Apaches worldwide. This figure includes of
    course only those servers that are not configured with expose_php=Off.

    During an audit of the PHP source code a binary safety problem in the
    handling of allowed tags within PHP's strip_tags() function was
    discovered. This problem may allow injection of JavaScript in Internet
    Explorer and Safari browsers.

    DETAILS

    Vulnerable Systems:
     * PHP version 4.3.7 and prior
     * PHP version 5.0.0RC3 and prior

    Many sites stop XSS attacks by striping unsafe HTML tags from the user's
    input. PHP scripts usually implement this functionality with the
    strip_tags() function. This function takes an optional second parameter to
    specify tags that should not get stripped from the input.

       $example = strip_tags($_REQUEST['user_input'], "<b><i><s>");

    Due to a binary safety problem within the allowed tags handling attacker
    supplied tags like: <\0script> or <s\0cript> will pass the check and wont
    get stripped (magic_quotes_gpc must be Off).

    In a perfect world this would be no dangerous problem because such tags
    are either in the allowed taglist or should get ignored by the browser
    because they have no meaning in HTML.

    In the real world however MS Internet Explorer and Safari filter '\0'
    characters from the tag and accept them as valid. Quite obvious that this
    can not only lead to a number of XSS issues on sites that filter dangerous
    tags with PHP's strip_tags() but also on every other site that filters
    them with pattern matching and is not necessary running PHP.

    According to tests:
     - Opera
     - Konqueror
     - Mozilla
     - Mozilla Firefox
     - Epiphany

    Are NOT affected by this.

    Disclosure Timeline:
    26. June 2004 - Problem found and fixed in CVS
    14. July 2004 - Public Disclosure

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595>
    CAN-2004-0595

    Recommendation:
    Because Internet Explorer is out of all reason still the most used browser
    fixing this problem within your PHP version is strongly recommended.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:s.esser@e-matters.de> Stefan
    Esser.
    The original article can be found at:
    <http://security.e-matters.de/advisories/122004.html>
    http://security.e-matters.de/advisories/122004.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] 4D WebSTAR Multiple Vulnerabilities"

    Relevant Pages

    • [UNIX] Multiple Vulnerabilities within PHP 4/5 (pack, unpack, safe_mode_exec_dir, safe_mode, realpat
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP is "a widely-used general-purpose scripting language that is ... several vulnerabilities within PHP were ... unserialize() - Wrong Handling of Negative References ...
      (Securiteam)
    • [UNIX] PHP cURL Safe_mode Bypass
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP is "an HTML-embedded scripting language. ... supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can ...
      (Securiteam)
    • [UNIX] Dotdeb PHP Email Header Injection Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Dotdeb PHP Email Header Injection Vulnerability ... This patch adds an X-PHP-Script header to ...
      (Securiteam)
    • [NEWS] PHP getimagesize() Multiple DoS Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP is a widely-used general-purpose scripting language that is especially ... Remote exploitation of a denial of service condition in the PHP ... Local exploitation of an input validation vulnerability in The PHP Group's ...
      (Securiteam)
    • [UNIX] PHP 5.1.6 / 4.4.4 Critical php_admin* Bypass by ini_restore()
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a privilage escalation vulnerability in PHP. ... Used to set a boolean configuration directive. ... can not be overridden by .htaccess or virtualhost directives. ...
      (Securiteam)