The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.

Stefan Esser of e-matters discovered that PHP's strip_tags() function would ignore certain characters during parsing of tags, allowing these tags to pass through. Select browsers could then parse these tags, possibly allowing cross-site scripting attacks.

New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and
-current to fix security issues (memory_limit handling and a problem in the strip_tags function). Sites using PHP should upgrade.

Two vulnerabilities have been discovered in php4 which also apply to the version of php3 in the stable Debian distribution. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CAN-2004-0594     The memory_limit functionality allows remote attackers     to execute arbitrary code under certain circumstances.

  - CAN-2004-0595

    The strip_tags function does not filter null (\0)     characters within tag names when restricting input to     allowed tags, which allows dangerous tags to be     processed by some web browsers which could lead to     cross-site scripting (XSS) vulnerabilities.

The remote host is missing Security Update 2005-001. This security update contains a number of enhancements for the following programs :

 - at commands
 - ColorSync
 - libxml2
 - Mail
 - PHP
 - Safari
 - SquirrelMail
 

he remote host is missing Security Update 2005-001. This security update contains a number of fixes for the following programs :

  - at commands
  - ColorSync
  - libxml2
  - Mail
  - PHP
  - Safari
  - SquirrelMail

These programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code.

Two vulnerabilities were discovered in php4 :

  - CAN-2004-0594     The memory_limit functionality in PHP 4.x up to 4.3.7,     and 5.x up to 5.0.0RC3, under certain conditions such as     when register_globals is enabled, allows remote     attackers to execute arbitrary code by triggering a     memory_limit abort during execution of the     zend_hash_init function and overwriting a HashTable     destructor pointer before the initialization of key data     structures is complete.

  - CAN-2004-0595

    The strip_tags function in PHP 4.x up to 4.3.7, and 5.x     up to 5.0.0RC3, does not filter null (\0) characters     within tag names when restricting input to allowed tags,     which allows dangerous tags to be processed by web     browsers such as Internet Explorer and Safari, which     ignore null characters and facilitate the exploitation     of cross-site scripting (XSS) vulnerabilities.

The remote host is affected by the vulnerability described in GLSA-200407-13 (PHP: Multiple security vulnerabilities)

    Several security vulnerabilities were found and fixed in version 4.3.8 of     PHP. The strip_tags() function, used to sanitize user input, could in     certain cases allow tags containing \\0 characters (CAN-2004-0595). When     memory_limit is used, PHP might unsafely interrupt other functions     (CAN-2004-0594). The ftok and itpc functions were missing safe_mode checks.
    It was possible to bypass open_basedir restrictions using MySQL's LOAD DATA     LOCAL function. Furthermore, the IMAP extension was incorrectly allocating     memory and alloca() calls were replaced with emalloc() for better stack     protection.
  Impact :

    Successfully exploited, the memory_limit problem could allow remote     execution of arbitrary code. By exploiting the strip_tags vulnerability, it     is possible to pass HTML code that would be considered as valid tags by the     Microsoft Internet Explorer and Safari browsers. Using ftok, itpc or     MySQL's LOAD DATA LOCAL, it is possible to bypass PHP configuration     restrictions.
  Workaround :

    There is no known workaround that would solve all these problems. All users     are encouraged to upgrade to the latest available versions.

Stefan Esser discovered a remotely exploitable vulnerability in PHP where a remote attacker could trigger a memory_limit request termination in places where an interruption is unsafe. This could be used to execute arbitrary code.

As well, Stefan Esser also found a vulnerability in the handling of allowed tags within PHP's strip_tags() function. This could lead to a number of XSS issues on sites that rely on strip_tags(); however, this only seems to affect the Internet Explorer and Safari browsers.

The updated packages have been patched to correct the problem and all users are encouraged to upgrade immediately.

The remote host is missing the patch for the advisory SUSE-SA:2004:021 (php4/mod_php4).


PHP is a well known, widely-used scripting language often used within web server setups.
Stefan Esser found a problem with the 'memory_limit' handling of PHP which allows remote attackers to execute arbitrary code as the user running the PHP interpreter. This problem has been fixed. Additionally a problem within the 'strip_tags' function has been found and fixed which allowed remote attackers to inject arbitrary tags into certain web browsers, issuing XSS related attacks.
Since there is no easy workaround except disabling PHP, we recommend an update for users running the PHP interpreter within the apache web server.

To be sure the update takes effect you have to restart the apache process by executing the following command as root:

/usr/sbin/rcapache restart

or if you use the apache2 package

/usr/sbin/rcapache2 restart

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

Updated php packages that fix various security issues are now available.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server.

Stefan Esser discovered a flaw when memory_limit is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0594 to this issue.

This issue has a higher risk when PHP is running on an instance of Apache which is vulnerable to CVE-2004-0493. For Red Hat Enterprise Linux 3, this Apache memory exhaustion issue was fixed by a previous update, RHSA-2004:342. It may also be possible to exploit this issue if using a non-default PHP configuration with the 'register_defaults' setting is changed to 'On'. Red Hat does not believe that this flaw is exploitable in the default configuration of Red Hat Enterprise Linux 3.

Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0595 to this issue.

All users of PHP are advised to upgrade to these updated packages, which contain backported patches that address these issues.

Updated php packages that fix various security issues are now available.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server.

Stefan Esser discovered a flaw when memory_limit configuration setting is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0594 to this issue.

This issue may be exploitable if using the default PHP configuration with the 'register_globals' setting of 'On'. The Apache memory exhaustion bug, fixed in a previous update to Red Hat Enterprise Linux 3, may also allow this PHP issue to be exploited; this Apache bug does not affect Red Hat Enterprise Linux 2.1.

Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0595 to this issue.

All users of PHP are advised to upgrade to these updated packages, which contain backported patches that address these issues.

According to its banner, the version of PHP 4.3.x installed on the remote host is prior to 4.3.7.  It is, therefore, potentially affected by a bug that could allow an attacker to execute arbitrary code on the  remote host if the option memory_limit is set. Another bug in the function strip_tags() may allow an attacker to bypass content restrictions when submitting data and may lead to cross-site scripting issues.

The remote host is missing Security Update 2005-001. This security update contains a number of enhancements for the following programs :

 - at commands
 - ColorSync
 - libxml2
 - Mail
 - PHP
 - Safari
 - SquirrelMail

ID	Name	Product	Family	Severity
19159	FreeBSD : php -- strip_tags XSS vulnerability (edf61c61-0f07-11d9-8393-000103ccf9d6)	Nessus	FreeBSD Local Security Checks	medium
18773	Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : PHP (SSA:2004-202-01)	Nessus	Slackware Local Security Checks	medium
16343	Debian DSA-669-1 : php3 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
2555	Mac OS X Multiple Vulnerabilities (Security Update 2005-001)	Nessus Network Monitor	Web Clients	critical
16251	Mac OS X Multiple Vulnerabilities (Security Update 2005-001)	Nessus	MacOS X Local Security Checks	high
15368	Debian DSA-531-1 : php4 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
14546	GLSA-200407-13 : PHP: Multiple security vulnerabilities	Nessus	Gentoo Local Security Checks	medium
14167	Mandrake Linux Security Advisory : php (MDKSA-2004:068)	Nessus	Mandriva Local Security Checks	medium
13837	SUSE-SA:2004:021: php4/mod_php4	Nessus	SuSE Local Security Checks	medium
13653	RHEL 3 : php (RHSA-2004:392)	Nessus	Red Hat Local Security Checks	medium
13652	RHEL 2.1 : php (RHSA-2004:395)	Nessus	Red Hat Local Security Checks	medium
13650	PHP < 4.3.8 Multiple Vulnerabilities	Nessus	CGI abuses	medium
800804	Mac OS X Multiple Vulnerabilities (Security Update 2005-001)	Log Correlation Engine	Operating System Detection	high

Detections

Analytics

CVE-2004-0595

medium

Tenable Plugins

medium

medium

medium

critical

high

medium

medium

medium

medium

medium

medium

medium

high