what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jul 14, 2004
Authored by Stefan Esser | Site security.e-matters.de

PHP strip_tags() bypass vulnerability may allow for Cross-site scripting attacks launched via websites that run PHP and depend on strip_tags() for security. The attack requires a vulnerable browser such as IE, Safari, or Mozilla in order to work.

tags | advisory, php, xss, bypass
advisories | CVE-2004-0595
SHA-256 | d66c97661142fe3d557417694547c784d192d272603cbc2f590fd731fd0ddf21


Change Mirror Download
Hash: SHA1

e-matters GmbH

-= Security Advisory =-

Advisory: PHP strip_tags() bypass vulnerability
Release Date: 2004/07/14
Last Modified: 2004/07/14
Author: Stefan Esser [s.esser@e-matters.de]

Application: PHP <= 4.3.7
PHP5 <= 5.0.0RC3
Severity: A binary safety problem within PHP's strip_tags()
function may allow injection of arbitrary tags
in Internet Explorer and Safari browsers
Risk: Moderate
Vendor Status: Vendor has released a bugfixed version.
Reference: http://security.e-matters.de/advisories/122004.html


PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.

According to Security Space PHP is the most popular Apache module
and is installed on about 50% of all Apaches worldwide. This figure
includes of course only those servers that are not configured with

During an audit of the PHP source code a binary safety problem in
the handling of allowed tags within PHP's strip_tags() function
was discovered. This problem may allow injection of f.e. Javascript
in Internet Explorer and Safari browsers.


Many sites stop XSS attacks by striping unsafe HTML tags from the
user's input. PHP scripts usually implement this functionality
with the strip_tags() function. This function takes a optional
second parameter to specify tags that should not get stripped
from the input.

$example = strip_tags($_REQUEST['user_input'], "<b><i><s>");

Due to a binary safety problem within the allowed tags handling
attacker supplied tags like: <\0script> or <s\0cript> will pass
the check and wont get stripped. (magic_quotes_gpc must be Off)

In a perfect world this would be no dangerous problem because
such tags are either in the allowed taglist or should get
ignored by the browser because they have no meaning in HTML.

In the real world however MS Internet Explorer and Safari filter
'\0' characters from the tag and accept them as valid. Quite
obvious that this can not only lead to a number of XSS issues
on sites that filter dangerous tags with PHP's strip_tags() but
also on every other site that filters them with pattern matching
and is not necessary running PHP.

According to tests:

- Opera
- Konqueror
- Mozilla
- Mozilla Firefox
- Epiphany

are NOT affected by this.

Proof of Concept:

e-matters is not going to release an exploit for this vulnerability
to the public.

Disclosure Timeline:

26. June 2004 - Problem found and fixed in CVS
14. July 2004 - Public Disclosure

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0595 to this issue.


Because Internet Explorer is out of all reason still the most used
browser fixing this problem within your PHP version is strongly



pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC

Copyright 2004 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By