[Tickets #388] HTML Mime filtering review

bugs at bugs.horde.org bugs at bugs.horde.org
Thu Jul 15 18:59:08 PDT 2004


-Ticket 388
-Queue: Horde Framework
-Added By: Chuck Hagenbuch <chuck at horde.org>

>From Chuck Hagenbuch <chuck at horde.org> (Thu Jul 15 18:59:07 2004):
Also interesting. We might want to catch \0 additionally to \s inside
malicious tags.

----- Weitergeleitete Nachricht von s.esser at e-matters.de -----
    Datum: Wed, 14 Jul 2004 00:55:25 +0200
    Von: Stefan Esser <s.esser at e-matters.de>
Antwort an: Stefan Esser <s.esser at e-matters.de>
 Betreff: Advisory 12/2004: PHP strip_tags() bypass vulnerability
      An: vulnwatch at vulnwatch.org, full-disclosure at lists.netsys.com,
bugtraq at securityfocus.com

                           e-matters GmbH

                      -= Security  Advisory =-

     Advisory: PHP strip_tags() bypass vulnerability
 Release Date: 2004/07/14
Last Modified: 2004/07/14
       Author: Stefan Esser [s.esser at e-matters.de]

  Application: PHP <= 4.3.7
               PHP5 <= 5.0.0RC3
     Severity: A binary safety problem within PHP's strip_tags()
               function may allow injection of arbitrary tags
               in Internet Explorer and Safari browsers
         Risk: Moderate
Vendor Status: Vendor has released a bugfixed version.
    Reference: http://security.e-matters.de/advisories/122004.html


   PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

   According to Security Space PHP is the most popular Apache module
   and is installed on about 50% of all Apaches worldwide. This figure
   includes of course only those servers that are not configured with

   During an audit of the PHP source code a binary safety problem in
   the handling of allowed tags within PHP's strip_tags() function
   was discovered. This problem may allow injection of f.e. Javascript
   in Internet Explorer and Safari browsers.


   Many sites stop XSS attacks by striping unsafe HTML tags from the
   user's input. PHP scripts usually implement this functionality
   with the strip_tags() function. This function takes a optional
   second parameter to specify tags that should not get stripped
   from the input.

   $example = strip_tags($_REQUEST['user_input'], "<b><i><s>");

   Due to a binary safety problem within the allowed tags handling
   attacker supplied tags like: <\0script> or <s\0cript> will pass
   the check and wont get stripped. (magic_quotes_gpc must be Off)

   In a perfect world this would be no dangerous problem because
   such tags are either in the allowed taglist or should get
   ignored by the browser because they have no meaning in HTML.

   In the real world however MS Internet Explorer and Safari filter
   '\0' characters from the tag and accept them as valid. Quite
   obvious that this can not only lead to a number of XSS issues
   on sites that filter dangerous tags with PHP's strip_tags() but
   also on every other site that filters them with pattern matching
   and is not necessary running PHP.

   According to tests:

    - Opera
    - Konqueror
    - Mozilla
    - Mozilla Firefox
    - Epiphany

    are NOT affected by this.

Proof of Concept:

   e-matters is not going to release an exploit for this vulnerability
   to the public.

Disclosure Timeline:

   26. June 2004 - Problem found and fixed in CVS
   14. July 2004 - Public Disclosure

CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-0595 to this issue.


   Because Internet Explorer is out of all reason still the most used
   browser fixing this problem within your PHP version is strongly



   pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
   Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC

Copyright 2004 Stefan Esser. All rights reserved.



More information about the bugs mailing list