CVE-2004-0595

NameCVE-2004-0595
DescriptionThe strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-531, DSA-669-1
NVD severitymedium (attack range: remote)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php3source(unstable)3:3.0.18-27medium
php3sourcewoody3:3.0.18-23.1woody2mediumDSA-669-1
php4source(unstable)4:4.3.8-1medium
php4sourcewoody4.1.2-7mediumDSA-531

Search for package or bug name: Reporting problems