FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

php -- strip_tags cross-site scripting vulnerability

Affected packages
mod_php4-twig <= 4.3.7_3
php4 <= 4.3.7_3
php4-cgi <= 4.3.7_3
php4-cli <= 4.3.7_3
php4-dtc <= 4.3.7_3
php4-horde <= 4.3.7_3
php4-nms <= 4.3.7_3
mod_php4 <= 4.3.7_3,1
php5 <= 5.0.0.r3_2
php5-cgi <= 5.0.0.r3_2
php5-cli <= 5.0.0.r3_2
mod_php5 <= 5.0.0.r3_2,1

Details

VuXML ID edf61c61-0f07-11d9-8393-000103ccf9d6
Discovery 2004-07-07
Entry 2004-09-27
Modified 2013-06-19

Stefan Esser of e-matters discovered that PHP's strip_tags() function would ignore certain characters during parsing of tags, allowing these tags to pass through. Select browsers could then parse these tags, possibly allowing cross-site scripting attacks.

References

Bugtraq ID 10724
CVE Name CVE-2004-0595
Message 20040713225525.GB26865@e-matters.de
URL http://security.e-matters.de/advisories/122004.html