CodeIgniter 1.5.3 vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: CodeIgniter 1.5.3 vulnerabilities
- From: "Łukasz Pilorz" <lukasz@xxxxxxxxxx>
- Date: Sun, 8 Jul 2007 15:54:09 +0000
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=pIVS5K9Yh5QfFW5wxlbHGQ8QfCucYrL5Oj/TfybUfEWKDPPiPvIVt20MnLjtmJYhXqqZrS6dHcFdZuP94fX7S5VNJkqhrdj/Y9dUpTHFdvXsC6e34WrH4GLT0yYhuy6423tfZCEbx5f3KZt//Q2Tum+c/E68m1sF7F6UozznHPg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=OnA8kfMo/gC1MJX8G9jmJC/3LgJcEbMTJNJdOBQ0hC5MauHiZnaZD36L9wlom56FTEHSiVi+dUnQgKoSw2dSr8fAuZs8S+8nkB50l/AeddRoL9pzLc3+1RND2zaae2EfIQ5dzFAJ4ex9lReGJY11bveR2eLQgId/LKoooDpSZOA=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Sender: lpilorz@xxxxxxxxx
CodeIgniter is a powerful PHP framework with a very small footprint,
built for PHP coders who need a simple and elegant toolkit to create
full-featured web applications.
(http://www.codeigniter.com)
1. _sanitize_globals() global variables unsetting
By setting e.g. "_SERVER=anonymous" cookie in the browser, an attacker
can cause the _sanitize_globals() method to remove $_SERVER array or
any other global variable.
Solution: fixed in SVN (28.06.2007)
2. "enable_query_strings" path traversal
$_GET["c"] variable is vulnerable to path traversal, if
enable_query_strings=TRUE is set in config.php. Example:
http://localhost/index.php?c=../../logs/log-2007-06-24
Solution: fixed in SVN (28.06.2007)
3. xss_clean() XSS vulnerability
Examples:
xss_clean('<img src=""
onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,33,39,41))">');
xss_clean("<x<xss>ss <scr<xss>ipt
a='>'>alert/**/('!');//*/</script</script >>");
Solution: partially fixed in SVN (26.06.2007)
I suggest using HTML Purifier in place of xss_clean()
4. redirect() header injection
redirect() function in url_helper.php is vulnerable to header
injection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example:
redirect("\r\nSet-Cookie: Test=X");
Solution: filter user data before passing to redirect() function (in
PHP < 4.4.2 or PHP < 5.1.2)
Best regards,
Łukasz Pilorz