CVE-2004-0595
Summary
| CVE | CVE-2004-0595 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2004-07-27 04:00:00 UTC |
| Updated | 2018-10-30 16:25:00 UTC |
| Description | The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Avaya | Converged Communications Server | 2.0 | All | All | All |
| Hardware | Avaya | Converged Communications Server | 2.0 | All | All | All |
| Application | Avaya | Integrated Management | All | All | All | All |
| Application | Avaya | Integrated Management | All | All | All | All |
| Hardware | Avaya | S8300 | r2.0.0 | All | All | All |
| Hardware | Avaya | S8300 | r2.0.1 | All | All | All |
| Hardware | Avaya | S8300 | r2.0.0 | All | All | All |
| Hardware | Avaya | S8300 | r2.0.1 | All | All | All |
| Hardware | Avaya | S8500 | r2.0.0 | All | All | All |
| Hardware | Avaya | S8500 | r2.0.1 | All | All | All |
| Hardware | Avaya | S8500 | r2.0.0 | All | All | All |
| Hardware | Avaya | S8500 | r2.0.1 | All | All | All |
| Hardware | Avaya | S8700 | r2.0.0 | All | All | All |
| Hardware | Avaya | S8700 | r2.0.1 | All | All | All |
| Hardware | Avaya | S8700 | r2.0.0 | All | All | All |
| Hardware | Avaya | S8700 | r2.0.1 | All | All | All |
| Application | Php | Php | 4.0 | All | All | All |
| Application | Php | Php | 4.0.1 | All | All | All |
| Application | Php | Php | 4.0.2 | All | All | All |
| Application | Php | Php | 4.0.3 | All | All | All |
| Application | Php | Php | 4.0.4 | All | All | All |
| Application | Php | Php | 4.0.5 | All | All | All |
| Application | Php | Php | 4.0.6 | All | All | All |
| Application | Php | Php | 4.0.7 | All | All | All |
| Application | Php | Php | 4.1.0 | All | All | All |
| Application | Php | Php | 4.1.1 | All | All | All |
| Application | Php | Php | 4.1.2 | All | All | All |
| Application | Php | Php | 4.2.0 | All | All | All |
| Application | Php | Php | 4.2.1 | All | All | All |
| Application | Php | Php | 4.2.2 | All | All | All |
| Application | Php | Php | 4.2.3 | All | All | All |
| Application | Php | Php | 4.3.0 | All | All | All |
| Application | Php | Php | 4.3.1 | All | All | All |
| Application | Php | Php | 4.3.2 | All | All | All |
| Application | Php | Php | 4.3.3 | All | All | All |
| Application | Php | Php | 4.3.5 | All | All | All |
| Application | Php | Php | 4.3.6 | All | All | All |
| Application | Php | Php | 4.3.7 | All | All | All |
| Application | Php | Php | 5.0 | rc1 | All | All |
| Application | Php | Php | 5.0 | rc2 | All | All |
| Application | Php | Php | 5.0 | rc3 | All | All |
| Application | Php | Php | 4.0 | All | All | All |
| Application | Php | Php | 4.0.1 | All | All | All |
| Application | Php | Php | 4.0.2 | All | All | All |
| Application | Php | Php | 4.0.3 | All | All | All |
| Application | Php | Php | 4.0.4 | All | All | All |
| Application | Php | Php | 4.0.5 | All | All | All |
| Application | Php | Php | 4.0.6 | All | All | All |
| Application | Php | Php | 4.0.7 | All | All | All |
| Application | Php | Php | 4.1.0 | All | All | All |
| Application | Php | Php | 4.1.1 | All | All | All |
| Application | Php | Php | 4.1.2 | All | All | All |
| Application | Php | Php | 4.2.0 | All | All | All |
| Application | Php | Php | 4.2.1 | All | All | All |
| Application | Php | Php | 4.2.2 | All | All | All |
| Application | Php | Php | 4.2.3 | All | All | All |
| Application | Php | Php | 4.3.0 | All | All | All |
| Application | Php | Php | 4.3.1 | All | All | All |
| Application | Php | Php | 4.3.2 | All | All | All |
| Application | Php | Php | 4.3.3 | All | All | All |
| Application | Php | Php | 4.3.5 | All | All | All |
| Application | Php | Php | 4.3.6 | All | All | All |
| Application | Php | Php | 4.3.7 | All | All | All |
| Application | Php | Php | 5.0 | rc1 | All | All |
| Application | Php | Php | 5.0 | rc2 | All | All |
| Application | Php | Php | 5.0 | rc3 | All | All |
| Operating System | Redhat | Fedora Core | core_1.0 | All | All | All |
| Operating System | Redhat | Fedora Core | core_2.0 | All | All | All |
| Operating System | Redhat | Fedora Core | core_1.0 | All | All | All |
| Operating System | Redhat | Fedora Core | core_2.0 | All | All | All |
| Operating System | Trustix | Secure Linux | 1.5 | All | All | All |
| Operating System | Trustix | Secure Linux | 2.0 | All | All | All |
| Operating System | Trustix | Secure Linux | 2.1 | All | All | All |
| Operating System | Trustix | Secure Linux | 1.5 | All | All | All |
| Operating System | Trustix | Secure Linux | 2.0 | All | All | All |
| Operating System | Trustix | Secure Linux | 2.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| redhat.com | Red Hat Support | REDHAT | www.redhat.com | |
| Debian -- Security Information -- DSA-531-1 php4 | DEBIAN | www.debian.org | Patch, Vendor Advisory |
| redhat.com | Red Hat Support | REDHAT | www.redhat.com | |
| 'Advisory 11/2004: PHP memory_limit remote vulnerability' - MARC | BUGTRAQ | marc.info | |
| Security Announcement | SUSE | www.novell.com | |
| '[security bulletin] SSRT4777 HP-UX Apache, PHP remote code execution, Denial of Service' - MARC | HP | marc.info | |
| Home - Conectiva | CONECTIVA | distro.conectiva.com.br | |
| 'TSSA-2004-013 - php' - MARC | BUGTRAQ | marc.info | |
| PHP Strip_Tags() Function Bypass Vulnerability | BID | www.securityfocus.com | Exploit, Patch, Vendor Advisory |
| rhn.redhat.com | Red Hat Support | REDHAT | www.redhat.com | |
| Debian -- Security Information -- DSA-669-1 php3 | DEBIAN | www.debian.org | |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | |
| redhat.com | Red Hat Support | REDHAT | www.redhat.com | |
| MandrakeSecure: MandrakeSoft Security Advisory MDKSA-2004:068 : php | MANDRAKE | www.mandrakesecure.net | |
| '[OpenPKG-SA-2004.034] OpenPKG Security Advisory (php)' - MARC | BUGTRAQ | marc.info | |
| [Full-Disclosure] Advisory 12/2004: PHP strip_tags() bypass vulnerability | FULLDISC | lists.grok.org.uk | |
| Gentoo Linux Documentation -- PHP: Multiple security vulnerabilities | GENTOO | www.gentoo.org | |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.