Security announcements

MSA-08-0008: KSES related issues

Picture of Petr Skoda
MSA-08-0008: KSES related issues
Topic: KSES related issues
Severity: Highly Critical
Versions affected: <1.6.7, <1.7.5, <1.8.5
Reported by: Łukasz Pilorz,
Issue no.: MDL-13705
Solution: update to 1.6.7, 1.7.5, 1.8.6, 1.9.2 or any recent weekly build
1/ use latest cvs version of /lib/kses.php - 1.6.x, 1.7.x, 1.8.x
2/ and patch /lib/weblib.php using - 1.6.x, 1.7.x, 1.8.x
Posted: Tue, 15 Apr 2008 21:43:49 GMT


During internal code review performed by, some weaknesses were discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses are part of many popular projects, including WordPress, Moodle, Drupal, eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from cross-site scripting to code execution, depending on implementation.

We received notice in advance from Łukasz Pilorz who later helped us to fix this and found another related problem in Moodle code.

There is a new option "Use HTML Purifier" in 1.9, it uses a different whitelisting technique which is considered to be much safer than KSES.

Note: severity of this issue was updated because automated exploit script was released to public and several sites were already compromised.

(Edited by Petr Škoda (škoďák) - original submission Tuesday, 15 April 2008, 9:43 PM)