| Topic: | KSES related issues |
| Severity: | Highly Critical |
| Versions affected: | <1.6.7, <1.7.5, <1.8.5 |
| Reported by: | Łukasz Pilorz, Allegro.pl |
| Issue no.: | MDL-13705 |
| Solution: | update to 1.6.7, 1.7.5, 1.8.6, 1.9.2 or any recent weekly build or 1/ use latest cvs version of /lib/kses.php - 1.6.x, 1.7.x, 1.8.x 2/ and patch /lib/weblib.php using - 1.6.x, 1.7.x, 1.8.x |
| Posted: | Tue, 15 Apr 2008 21:43:49 GMT |
Description:
During internal code review performed by Allegro.pl, some weaknesses were discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses are part of many popular projects, including WordPress, Moodle, Drupal, eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from cross-site scripting to code execution, depending on implementation.
We received notice in advance from Łukasz Pilorz who later helped us to fix this and found another related problem in Moodle code.
There is a new option "Use HTML Purifier" in 1.9, it uses a different whitelisting technique which is considered to be much safer than KSES.
Note: severity of this issue was updated because automated exploit script was released to public and several sites were already compromised.
(Edited by Petr Škoda (škoďák) - original submission Tuesday, 15 April 2008, 9:43 PM)