F-Secure
Tools
chuggnutt.com "HTML to Plain Text Conversion" PHP Class Code Execution
| Report ID: | SA33145 |
| Source: | Secunia |
| Date of Discovery: | 15.12.2008 |
| Criticality: | Moderate |
| Affects: | chuggnutt.com "HTML to Plain Text Conversion" PHP Class 1.x |
| Compromise From: | From remote |
| Compromise Type: | System access |
Summary
A vulnerability has been discovered in the chuggnutt.com "HTML to Plain Text Conversion" PHP class, which can be exploited by malicious people to compromise a vulnerable system.
Detailed Description
A vulnerability has been discovered in the chuggnutt.com "HTML to Plain Text Conversion" PHP class, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to the class using insecure regular expressions to filter HTML input. This can be exploited to inject and execute arbitrary PHP code by e.g. passing specially crafted data to an application using this class.
The vulnerability is confirmed in version 1.0. Other versions may also be affected.
The vulnerability is caused due to the class using insecure regular expressions to filter HTML input. This can be exploited to inject and execute arbitrary PHP code by e.g. passing specially crafted data to an application using this class.
The vulnerability is confirmed in version 1.0. Other versions may also be affected.
Solution
Edit the source code to ensure that secure regular expressions are used.