Tickets :: Comment on [#388] XSS filter review

* Your Email Address
* Spam protection	Enter the letters below: .___..__ .__ \ /.__ _/ [__)[__) >< [__) ./__.\| \\| \/ \[__)
Comment	> Also interesting. We might want to catch \0 additionally to \s inside > > malicious tags. > > > > ----- Weitergeleitete Nachricht von s.esser@e-matters.de ----- > > Datum: Wed, 14 Jul 2004 00:55:25 +0200 > > Von: Stefan Esser <s.esser@e-matters.de> > > Antwort an: Stefan Esser <s.esser@e-matters.de> > > Betreff: Advisory 12/2004: PHP strip_tags() bypass vulnerability > > An: vulnwatch@vulnwatch.org, full-disclosure@lists.netsys.com, > > bugtraq@securityfocus.com > > > > > > e-matters GmbH > > www.e-matters.de > > > > -= Security Advisory =- > > > > > > > > Advisory: PHP strip_tags() bypass vulnerability > > Release Date: 2004/07/14 > > Last Modified: 2004/07/14 > > Author: Stefan Esser [s.esser@e-matters.de] > > > > Application: PHP <= 4.3.7 > > PHP5 <= 5.0.0RC3 > > Severity: A binary safety problem within PHP's strip_tags() > > function may allow injection of arbitrary tags > > in Internet Explorer and Safari browsers > > Risk: Moderate > > Vendor Status: Vendor has released a bugfixed version. > > Reference: http://security.e-matters.de/advisories/122004.html > > > > > > Overview: > > > > PHP is a widely-used general-purpose scripting language that is > > especially suited for Web development and can be embedded into HTML. > > > > According to Security Space PHP is the most popular Apache module > > and is installed on about 50% of all Apaches worldwide. This figure > > includes of course only those servers that are not configured with > > expose_php=Off. > > > > During an audit of the PHP source code a binary safety problem in > > the handling of allowed tags within PHP's strip_tags() function > > was discovered. This problem may allow injection of f.e. Javascript > > in Internet Explorer and Safari browsers. > > > > > > Details: > > > > Many sites stop XSS attacks by striping unsafe HTML tags from the > > user's input. PHP scripts usually implement this functionality > > with the strip_tags() function. This function takes a optional > > second parameter to specify tags that should not get stripped > > from the input. > > > > $example = strip_tags($_REQUEST['user_input'], "<b><i><s>"); > > > > Due to a binary safety problem within the allowed tags handling > > attacker supplied tags like: <\0script> or <s\0cript> will pass > > the check and wont get stripped. (magic_quotes_gpc must be Off) > > > > In a perfect world this would be no dangerous problem because > > such tags are either in the allowed taglist or should get > > ignored by the browser because they have no meaning in HTML. > > > > In the real world however MS Internet Explorer and Safari filter > > '\0' characters from the tag and accept them as valid. Quite > > obvious that this can not only lead to a number of XSS issues > > on sites that filter dangerous tags with PHP's strip_tags() but > > also on every other site that filters them with pattern matching > > and is not necessary running PHP. > > > > According to tests: > > > > - Opera > > - Konqueror > > - Mozilla > > - Mozilla Firefox > > - Epiphany > > > > are NOT affected by this. > > > > > > Proof of Concept: > > > > e-matters is not going to release an exploit for this vulnerability > > to the public. > > > > > > Disclosure Timeline: > > > > 26. June 2004 - Problem found and fixed in CVS > > 14. July 2004 - Public Disclosure > > > > > > CVE Information: > > > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > > assigned the name CAN-2004-0595 to this issue. > > > > > > Recommendation: > > > > Because Internet Explorer is out of all reason still the most used > > browser fixing this problem within your PHP version is strongly > > recommended. > > > > > > GPG-Key: > > > > http://security.e-matters.de/gpg_key.asc > > > > pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam > > Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC > > > > > > Copyright 2004 Stefan Esser. All rights reserved.
Attachment
Watch this ticket

Saved Queries