[UNIX] PHP strip_tags() bypass vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 07/14/04

  • Next message: SecuriTeam: "[NEWS] 4D WebSTAR Multiple Vulnerabilities"
    To: list@securiteam.com
    Date: 14 Jul 2004 10:50:27 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      PHP strip_tags() bypass vulnerability


    PHP is "a widely-used general-purpose scripting language that is
    especially suited for Web development and can be embedded into HTML".

    According to Security Space PHP is the most popular Apache module and is
    installed on about 50% of all Apaches worldwide. This figure includes of
    course only those servers that are not configured with expose_php=Off.

    During an audit of the PHP source code a binary safety problem in the
    handling of allowed tags within PHP's strip_tags() function was
    discovered. This problem may allow injection of JavaScript in Internet
    Explorer and Safari browsers.


    Vulnerable Systems:
     * PHP version 4.3.7 and prior
     * PHP version 5.0.0RC3 and prior

    Many sites stop XSS attacks by striping unsafe HTML tags from the user's
    input. PHP scripts usually implement this functionality with the
    strip_tags() function. This function takes an optional second parameter to
    specify tags that should not get stripped from the input.

       $example = strip_tags($_REQUEST['user_input'], "<b><i><s>");

    Due to a binary safety problem within the allowed tags handling attacker
    supplied tags like: <\0script> or <s\0cript> will pass the check and wont
    get stripped (magic_quotes_gpc must be Off).

    In a perfect world this would be no dangerous problem because such tags
    are either in the allowed taglist or should get ignored by the browser
    because they have no meaning in HTML.

    In the real world however MS Internet Explorer and Safari filter '\0'
    characters from the tag and accept them as valid. Quite obvious that this
    can not only lead to a number of XSS issues on sites that filter dangerous
    tags with PHP's strip_tags() but also on every other site that filters
    them with pattern matching and is not necessary running PHP.

    According to tests:
     - Opera
     - Konqueror
     - Mozilla
     - Mozilla Firefox
     - Epiphany

    Are NOT affected by this.

    Disclosure Timeline:
    26. June 2004 - Problem found and fixed in CVS
    14. July 2004 - Public Disclosure

    CVE Information:

    Because Internet Explorer is out of all reason still the most used browser
    fixing this problem within your PHP version is strongly recommended.


    The information has been provided by <mailto:s.esser@e-matters.de> Stefan
    The original article can be found at:


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] 4D WebSTAR Multiple Vulnerabilities"