bugtraq - CodeIgniter 1.5.3 vulnerabilities

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite for Android: free password hash cracker in your pocket

[<prev] [next>] [day] [month] [year] [list]

Date: Sun, 8 Jul 2007 15:54:09 +0000
From: "Łukasz Pilorz" <lukasz@...orz.net>
To: bugtraq@...urityfocus.com
Subject: CodeIgniter 1.5.3 vulnerabilities

CodeIgniter is a powerful PHP framework with a very small footprint,
built for PHP coders who need a simple and elegant toolkit to create
full-featured web applications.
(http://www.codeigniter.com)

1. _sanitize_globals() global variables unsetting
By setting e.g. "_SERVER=anonymous" cookie in the browser, an attacker
can cause the _sanitize_globals() method to remove $_SERVER array or
any other global variable.

Solution: fixed in SVN (28.06.2007)

2. "enable_query_strings" path traversal
$_GET["c"] variable is vulnerable to path traversal, if
enable_query_strings=TRUE is set in config.php. Example:
http://localhost/index.php?c=../../logs/log-2007-06-24

Solution: fixed in SVN (28.06.2007)

3. xss_clean() XSS vulnerability
Examples:
xss_clean('<img src=""
onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,33,39,41))">');
xss_clean("<x<xss>ss <scr<xss>ipt
a='>'>alert/**/('!');//*/</script</script >>");

Solution: partially fixed in SVN (26.06.2007)
I suggest using HTML Purifier in place of xss_clean()

4. redirect() header injection
redirect() function in url_helper.php is vulnerable to header
injection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example:
redirect("\r\nSet-Cookie: Test=X");

Solution: filter user data before passing to redirect() function (in
PHP < 4.4.2 or PHP < 5.1.2)

Best regards,
Łukasz Pilorz