| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Jul 2009 22:23:09 +0630 From: "YGN Ethical Hacker Group (http://yehg.net)" <lists@...g.net> To: full-disclosure@...ts.grok.org.uk Subject: CodeIgniter Global XSS Filtering Bypass Vulnerability ======================================== CodeIgniter Global XSS Filtering Bypass Vulnerability ======================================== Discovered by: Aung Khant, YGN Ethical Hacker Group, Myanmar http://yehg.net/ ~ believe in full disclosure Product : CodeIgniter < http://www.codeigniter.com> Product Description : Open-source PHP Framework Pen-Tested Version : 1.5.2 Vulnerability : User-Agent injection Risk : Medium Threat : XSS, Log File Tampering Advisory URL: http://yehg.net/lab/pr0js/view.php/CodeIgniter%20Global%20XSS%20Filtering%20Bypass%20Vulnerability.pdf Description: $CI->input->user_agent() fails to check the validity of user-agent type. It simply extracts from $_SERVER array without checking whether it is bad string injection or not. In this case, we can spoof user agent string of our browser with our arbitrary commands that can bypass stronger CodeIgniter Security class even if $config['global_xss_filtering'] = TRUE;. Thus we can execute XSS on the fly. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists