[转载]PHP strip_tags() 可能被远程用户绕过漏洞
PHP strip_tags() Can Be Bypassed By Remote Users With Tags Containing '\0'文章出处:SuperHei
SecurityTracker Alert ID: 1010699
SecurityTracker URL: [url]http://securitytracker.com/id?1010699[/url]
CVE Reference: CAN-2004-0595 (Links to External Site)
Date: Jul 14 2004
Impact: Modification of user information
Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes
Advisory: e-matters
Version(s): 4.3.7 and prior versions; 5.0.0RC3 and prior versions
Description: A vulnerability was reported in PHP in the strip_tags() function. A remote user may be able to bypass the function to inject arbitrary tags when certain web browsers are used.
Stefan Esser of e-matters reported that if 'magic_quotes_gpc' is off and strip_tags() is used to attempt to remove HTML tags from user-supplied input, a remote user can supply specially crafted tags that will not be properly stripped by the function.
Tags such as the following will bypass the function:
<\0script>
<s\0cript>
The report indicates that Microsoft's Internet Explorer and Apple's Safari web browsers will ignore the '\0' string and interpret the above listed type of tags as valid tags.
The report also indicates that Opera, Konqueror, Mozilla, Firefox, and Epiphany are not affected.
The original advisory is available at:
[url]http://security.e-matters.de/advisorie[/url] s/122004.html
Impact: A remote user can submit specially crafted tags in input that is filtered by strip_tags() to bypass the filtering process. Whether or not this results in a vulnerability depends on the application using the affected function.
Solution: The vendor has released a fixed version (4.3.8 and 5.0.0), available at:
[url]http://www.php.net/downloads.php[/url]
Vendor URL: [url]www.php.net/[/url] (Links to External Site)
Cause: Input validation error, State error
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Reported By: Stefan Esser <[email]s.esser@e-matters.de[/email]>
Message History: None.
--------------------------------------------------------------------------------
Source Message Contents
--------------------------------------------------------------------------------
Date: Wed, 14 Jul 2004 00:55:25 +0200
From: Stefan Esser <[email]s.esser@e-matters.de[/email]>
Subject: [Full-Disclosure] Advisory 12/2004: PHP strip_tags() bypass vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
e-matters GmbH
[url]www.e-matters.de[/url]
-= Security Advisory =-
Advisory: PHP strip_tags() bypass vulnerability
Release Date: 2004/07/14
Last Modified: 2004/07/14
Author: Stefan Esser [[email]s.esser@e-matters.de[/email]]
Application: PHP <= 4.3.7
PHP5 <= 5.0.0RC3
Severity: A binary safety problem within PHP's strip_tags()
function may allow injection of arbitrary tags
in Internet Explorer and Safari browsers
Risk: Moderate
Vendor Status: Vendor has released a bugfixed version.
Reference: [url]http://security.e-matters.de/advisories/122004.html[/url]
Overview:
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
According to Security Space PHP is the most popular Apache module
and is installed on about 50% of all Apaches worldwide. This figure
includes of course only those servers that are not configured with
expose_php=Off.
During an audit of the PHP source code a binary safety problem in
the handling of allowed tags within PHP's strip_tags() function
was discovered. This problem may allow injection of f.e. Javascript
in Internet Explorer and Safari browsers.
Details:
Many sites stop XSS attacks by striping unsafe HTML tags from the
user's input. PHP scripts usually implement this functionality
with the strip_tags() function. This function takes a optional
second parameter to specify tags that should not get stripped
from the input.
$example = strip_tags($_REQUEST['user_input'], "<b><i><s>");
Due to a binary safety problem within the allowed tags handling
attacker supplied tags like: <\0script> or <s\0cript> will pass
the check and wont get stripped. (magic_quotes_gpc must be Off)
In a perfect world this would be no dangerous problem because
such tags are either in the allowed taglist or should get
ignored by the browser because they have no meaning in HTML.
In the real world however MS Internet Explorer and Safari filter
'\0' characters from the tag and accept them as valid. Quite
obvious that this can not only lead to a number of XSS issues
on sites that filter dangerous tags with PHP's strip_tags() but
also on every other site that filters them with pattern matching
and is not necessary running PHP.
According to tests:
- Opera
- Konqueror
- Mozilla
- Mozilla Firefox
- Epiphany
are NOT affected by this.
Proof of Concept:
e-matters is not going to release an exploit for this vulnerability
to the public.
Disclosure Timeline:
26. June 2004 - Problem found and fixed in CVS
14. July 2004 - Public Disclosure
CVE Information:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0595 to this issue.
Recommendation:
Because Internet Explorer is out of all reason still the most used
browser fixing this problem within your PHP version is strongly
recommended.
GPG-Key:
[url]http://security.e-matters.de/gpg_key.asc[/url]
pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC
Copyright 2004 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see [url]http://www.gnupg.org[/url]
iD8DBQFA9Ic7b31XLTAExLwRAq6eAJ4j5AomlAJUhEHoDmLwCk4RqvJlVgCgqIN7
D9N75IutqIcoce4xqJTw6XQ=
=Q5NT
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: [url]http://lists.netsys.com/full-disclosure-charter.html[/url]
页:
[1]