[UNIX] PHP strip_tags() bypass vulnerability
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 14 Jul 2004 10:50:27 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
PHP strip_tags() bypass vulnerability
PHP is "a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML".
According to Security Space PHP is the most popular Apache module and is
installed on about 50% of all Apaches worldwide. This figure includes of
course only those servers that are not configured with expose_php=Off.
During an audit of the PHP source code a binary safety problem in the
handling of allowed tags within PHP's strip_tags() function was
Explorer and Safari browsers.
* PHP version 4.3.7 and prior
* PHP version 5.0.0RC3 and prior
Many sites stop XSS attacks by striping unsafe HTML tags from the user's
input. PHP scripts usually implement this functionality with the
strip_tags() function. This function takes an optional second parameter to
specify tags that should not get stripped from the input.
$example = strip_tags($_REQUEST['user_input'], "<b><i><s>");
Due to a binary safety problem within the allowed tags handling attacker
supplied tags like: <\0script> or <s\0cript> will pass the check and wont
get stripped (magic_quotes_gpc must be Off).
In a perfect world this would be no dangerous problem because such tags
are either in the allowed taglist or should get ignored by the browser
because they have no meaning in HTML.
In the real world however MS Internet Explorer and Safari filter '\0'
characters from the tag and accept them as valid. Quite obvious that this
can not only lead to a number of XSS issues on sites that filter dangerous
tags with PHP's strip_tags() but also on every other site that filters
them with pattern matching and is not necessary running PHP.
According to tests:
- Mozilla Firefox
Are NOT affected by this.
26. June 2004 - Problem found and fixed in CVS
14. July 2004 - Public Disclosure
Because Internet Explorer is out of all reason still the most used browser
fixing this problem within your PHP version is strongly recommended.
The information has been provided by <mailto:email@example.com> Stefan
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.