CVE-2020-7059 | Zend by Perforce

Out of bounds read in php_strip_tags_ex

Publication Date	2020-01-23
Severity	Moderate
Type	Information Disclosure
Affected PHP Versions	5.6.0 - 5.6.40 7.0.0 - 7.0.33 7.1.0 - 7.1.33 7.2.0 - 7.2.26 7.3.0 - 7.3.13 7.3.0 - 7.4.1
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendServer 2019.0.4

CVE Details

When using the fgetss() function to read data while stripping HTML tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14, and 7.4.x below 7.4.2, it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.

Recommendations

fgetss() combines the functionality of fgets() with that of strip_tags(), which removes HTML and PHP tags, as well as null bytes. Considering fgetss() is deprecated, you should not be using it. Instead, you should call strip_tags() on each valid return value of fgets():

while (! feof($fh)) {
    $line = fgets($fh);
    $line = strip_tags($line);
    // do something with $line
}

When possible, upgrade to PHP 7.2.27 or higher, 7.3.14 or higher, or 7.4.2 or higher.

< View all CVEs