CVE-2004-0595
CVE-2004-0595
The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.
Affected products
n/a · n/apublic PoCs found — 1
exploitdbwww.exploit-db.com/exploits/24280unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000847http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023909.htmlhttp://marc.info/?l=bugtraq&m=108981780109154&w=2http://marc.info/?l=bugtraq&m=108982983426031&w=2http://marc.info/?l=bugtraq&m=109051444105182&w=2http://marc.info/?l=bugtraq&m=109181600614477&w=2https://exchange.xforce.ibmcloud.com/vulnerabilities/16692https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10619http://www.debian.org/security/2004/dsa-531http://www.debian.org/security/2005/dsa-669http://www.gentoo.org/security/en/glsa/glsa-200407-13.xmlhttp://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:068