Security Advisory 12/2004

Der e-matters Security Spezialist und PHP Kern-Developer Stefan Esser hat 2 kritische Sicherheitslücken in PHP gefunden. Diese Lücken erlaubt das Ausführen von beliebigem Code bzw. das Aushebeln von XSS (Cross-Site-Scripting) Schutztechniken.

Advisory 12/2004
PHP strip_tags() bypass vulnerability

 

Release Date: 2004/07/14
Author: Stefan Esser
Application: PHP <= 4.3.7, PHP5 <= 5.0.0RC3
Severity: A binary safety problem within PHP's strip_tags() function may allow injection of arbitrary tags in Internet Explorer and Safari browsers
Risk: Moderate
Last Modified:   2004/07/14

 

Overview

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.

According to Security Space PHP is the most popular Apache module and is installed on about 50% of all Apaches worldwide. This figure includes of course only those servers that are not configured with expose_php=Off.

During an audit of the PHP source code a binary safety problem in the handling of allowed tags within PHP's strip_tags() function was discovered. This problem may allow injection of f.e. Javascript in Internet Explorer and Safari browsers.

 

Details

Many sites stop XSS attacks by striping unsafe HTML tags from the user's input. PHP scripts usually implement this functionality with the strip_tags() function. This function takes a optional second parameter to specify tags that should not get stripped from the input.

$example = strip_tags($_REQUEST['user_input'], "<b><i><s>");

Due to a binary safety problem within the allowed tags handling attacker supplied tags like: <\0script> or <s\0cript> will pass the check and wont get stripped. (magic_quotes_gpc must be Off)

In a perfect world this would be no dangerous problem because such tags are either in the allowed taglist or should get ignored by the browser because they have no meaning in HTML.

In the real world however MS Internet Explorer and Safari filter '\0' characters from the tag and accept them as valid. Quite obvious that this can not only lead to a number of XSS issues on sites that filter dangerous tags with PHP's strip_tags() but also on every other site that filters them with pattern matching and is not necessary running PHP.

According to tests:

- Opera
- Konqueror
- Mozilla
- Mozilla Firefox
- Epiphany

are NOT affected by this.

 

Proof of Concept

e-matters is not going to release an exploit for this vulnerability to the public.

 

Disclosure Timeline

26 June 2004 Problem found and fixed in CVS
14 July 2004 Public Disclosure

 

CVE Information

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to this issue.

 

Recommendation

Because Internet Explorer is out of all reason still the most used browser fixing this problem within your PHP version is strongly recommended.