• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: kses Multiple Input Validation Vulnerabilities

Severity: HIGH

Description:

The kses application is a PHP-based script designed to filter HTML and XHTML input to eliminate cross-site scripting attacks. The script is incorporated into other PHP applications so as to sanitize user-supplied input.

The script is prone to multiple input-validation vulnerabilities due to flaws in the 'kses_bad_protocol_once()' function. The specific issues are:

- A PHP code-execution vulnerability arises from insecure use of '/e' in 'preg_replace()'. This issue may be exploited only with nonstandard uses of kses, but the reporter states that unspecified instances are known to exist.

- A cross-site scripting vulnerability occurs because the software improperly handles '%08' or '%0B' bytes at the beginning of attribute values. This causes the script to fail to filter-out malicious content.

- A cross-site scripting vulnerability occurs because the software improperly handles 'style' attributes. The script fails to sanitize CSS content and to filter-out malicious content.

The attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PHP code execution is also reportedly possible, but may be exploitable only in limited -- and unknown -- circumstances.

The issues are known to affect the following multiple projects that have incorporated kses:

Dokeos prior to 1.8.4 SP3
eGroupWare prior to 1.4.003
WordPress prior to 2.5
Moodle prior to 1.9

Other applications may also be affected.

NOTE: These issues were previously documented in the following BIDs:

28424 eGroupWare '_bad_protocol_once()' HTML Security Bypass Vulnerability
28121 Dokeos Multiple Remote Code Execution and Cross-Site Scripting Vulnerabilities

Since these issues were determined to originate in the same kses-based source code, this BID has been created to cover all the affected packages.

Affected Products:

• Debian Linux 3.1.0
• Debian Linux 3.1.0 alpha
• Debian Linux 3.1.0 amd64
• Debian Linux 3.1.0 arm
• Debian Linux 3.1.0 hppa
• Debian Linux 3.1.0 ia-32
• Debian Linux 3.1.0 ia-64
• Debian Linux 3.1.0 m68k
• Debian Linux 3.1.0 mips
• Debian Linux 3.1.0 mipsel
• Debian Linux 3.1.0 ppc
• Debian Linux 3.1.0 s/390
• Debian Linux 3.1.0 sparc
• Debian Linux 4.0
• Debian Linux 4.0 alpha
• Debian Linux 4.0 amd64
• Debian Linux 4.0 arm
• Debian Linux 4.0 armel
• Debian Linux 4.0 hppa
• Debian Linux 4.0 ia-32
• Debian Linux 4.0 ia-64
• Debian Linux 4.0 m68k
• Debian Linux 4.0 mips
• Debian Linux 4.0 mipsel
• Debian Linux 4.0 powerpc
• Debian Linux 4.0 s/390
• Debian Linux 4.0 sparc
• Debian Linux 5.0
• Debian Linux 5.0 alpha
• Debian Linux 5.0 amd64
• Debian Linux 5.0 arm
• Debian Linux 5.0 armel
• Debian Linux 5.0 hppa
• Debian Linux 5.0 ia-32
• Debian Linux 5.0 ia-64
• Debian Linux 5.0 m68k
• Debian Linux 5.0 mips
• Debian Linux 5.0 mipsel
• Debian Linux 5.0 powerpc
• Debian Linux 5.0 s/390
• Debian Linux 5.0 sparc
• Dokeos Open Source Learning & Knowledge Management 1.8.0
• Dokeos Open Source Learning & Knowledge Management 1.8.4
• Dokeos Open Source Learning & Knowledge Management 1.8.4 SP1
• Dokeos Open Source Learning & Knowledge Management 1.8.4 SP3
• Dokeos Open Source Learning & Knowledge Management Tool 1.4.0
• Dokeos Open Source Learning & Knowledge Management Tool 1.5.0
• Dokeos Open Source Learning & Knowledge Management Tool 1.5.3
• Dokeos Open Source Learning & Knowledge Management Tool 1.5.4
• Dokeos Open Source Learning & Knowledge Management Tool 1.5.5
• Dokeos Open Source Learning & Knowledge Management Tool 1.6.0 RC2
• Dokeos Open Source Learning & Knowledge Management Tool 1.6.4
• Dokeos Open Source Learning & Knowledge Management Tool 1.6.4 (P1)
• Dokeos Open Source Learning & Knowledge Management Tool 1.6.5
• Dokeos Open Source Learning & Knowledge Management Tool 1.8.0
• Dokeos Open Source Learning & Knowledge Management Tool 1.8.0
• Dokeos Open Source Learning & Knowledge Management Tool 1.8.4
• Dokeos Open Source Learning & Knowledge Management Tool 1.8.4
• Dokeos Open Source Learning & Knowledge Management Tool 1.8.4
• Dokeos Open Source Learning & Knowledge Management Tool 1.8.4 SP1
• Dokeos Open Source Learning & Knowledge Management Tool 1.8.4 SP2
• Gentoo Linux
• Gentoo Linux 1.4.0
• Moodle moodle 1.3.0
• Moodle moodle 1.3.1
• Moodle moodle 1.3.2
• Moodle moodle 1.3.3
• Moodle moodle 1.3.4
• Moodle moodle 1.4.1
• Moodle moodle 1.4.2
• Moodle moodle 1.4.3
• Moodle moodle 1.5.0
• Moodle moodle 1.5.1
• Moodle moodle 1.5.2
• Moodle moodle 1.5.3
• Moodle moodle 1.5.3 +
• Moodle moodle 1.6.0 dev
• Moodle moodle 1.6.1
• Moodle moodle 1.6.1 +
• Moodle moodle 1.6.2
• Moodle moodle 1.7.1
• Moodle moodle 1.8.3
• Moodle moodle 1.8.4
• RedHat Fedora 8
• S.u.S.E. openSUSE 10.2
• S.u.S.E. openSUSE 10.3
• Ubuntu Ubuntu Linux 7.10 amd64
• Ubuntu Ubuntu Linux 7.10 i386
• Ubuntu Ubuntu Linux 7.10 lpia
• Ubuntu Ubuntu Linux 7.10 powerpc
• Ubuntu Ubuntu Linux 7.10 sparc
• Ubuntu Ubuntu Linux 8.04 LTS amd64
• Ubuntu Ubuntu Linux 8.04 LTS i386
• Ubuntu Ubuntu Linux 8.04 LTS lpia
• Ubuntu Ubuntu Linux 8.04 LTS powerpc
• Ubuntu Ubuntu Linux 8.04 LTS sparc
• WordPress WordPress 0.7.0
• WordPress WordPress 0.71.0
• WordPress WordPress 1.2.0
• WordPress WordPress 1.2.1
• WordPress WordPress 1.2.2
• WordPress WordPress 1.3.1
• WordPress WordPress 1.5.0
• WordPress WordPress 1.5.1
• WordPress WordPress 1.5.1 .2
• WordPress WordPress 1.5.1 .3
• WordPress WordPress 1.5.2
• WordPress WordPress 2.0.0
• WordPress WordPress 2.0.1
• WordPress WordPress 2.0.10
• WordPress WordPress 2.0.10-RC1
• WordPress WordPress 2.0.10-RC2
• WordPress WordPress 2.0.11
• WordPress WordPress 2.0.2
• WordPress WordPress 2.0.3
• WordPress WordPress 2.0.4
• WordPress WordPress 2.0.5
• WordPress WordPress 2.0.6
• WordPress WordPress 2.0.7
• WordPress WordPress 2.1
• WordPress WordPress 2.1.1
• WordPress WordPress 2.1.2
• WordPress WordPress 2.1.3
• WordPress WordPress 2.1.3
• WordPress WordPress 2.1.3-RC1
• WordPress WordPress 2.1.3-RC2
• WordPress WordPress 2.2
• WordPress WordPress 2.2 Revision 5002
• WordPress WordPress 2.2 Revision 5003
• WordPress WordPress 2.2.1
• WordPress WordPress 2.2.1
• WordPress WordPress 2.2.2
• WordPress WordPress 2.2.3
• WordPress WordPress 2.3
• WordPress WordPress 2.3.1
• WordPress WordPress 2.3.2
• WordPress WordPress 2.3.3
• WordPress Wordpress (B2) 0.6.2
• WordPress Wordpress (B2) 0.6.2 .1
• eGroupWare eGroupWare 1.0.0
• eGroupWare eGroupWare 1.0.0 .0.007
• eGroupWare eGroupWare 1.0.0 .0.009
• eGroupWare eGroupWare 1.0.1
• eGroupWare eGroupWare 1.0.3
• eGroupWare eGroupWare 1.0.6
• eGroupWare eGroupWare 1.2.106-2
• eGroupWare eGroupWare 1.2.107-2
• eGroupWare eGroupWare 1.4.001
• eGroupWare eGroupWare 1.4.002
• kses kses 0.2.2

References:

• Dokeos: Dokeos Homepage
• Dokeos: Dokeos Security Page
• Dokeos: FS#2312 - Security - KSES vulnerabilities
• Moodle: MSA-08-0008: KSES related issues
• Moodle: Moodle Homepage
• WordPress: WordPress Homepage
• eGroupWare: eGroupWare 1.4.003 Changelog
• eGroupWare: eGroupWare Homepage
• kses: kses Project Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.