Bypass PHP's strip_tags() Function

vendor:

PHP

by:

Unknown

N/A

CVSS

MEDIUM

HTML Injection

CWE

Product Name: PHP

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux, Mac

Unknown

Bypass PHP’s strip_tags() Function

Under certain circumstances, PHP's strip_tags() function improperly leaves malformed tags in place, allowing for potential cross-site scripting and HTML injection vulnerabilities when viewed by Microsoft Internet Explorer or Apple Safari web browsers.

Mitigation:

Ensure 'magic_quotes_gpc' is enabled in PHP configuration.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10724/info

It is reported that it is possible to bypass PHPs strip_tags() function.

It is reported that under certain circumstances, PHPs strip_tags() function will improperly leave malformed tags in place.

This vulnerability may mean that previously presumed-safe web applications could contain multiple cross-site scripting and HTML injection vulnerabilities when viewed by Microsoft Internet Explorer or Apple Safari web browsers.

It is reported that 'magic_quotes_gpc' must be off for PHP to be vulnerable to this issue. 

If a web application uses strip_tags() similar to:
$example = strip_tags($_REQUEST['user_input'], "<b><i><s>");

Then possible tags that may lead to exploitation might be:
<\0script> or <s\0cript>