CodeIgniter 1.5.3 vulnerabilities

Advisory Text :

CodeIgniter is a powerful PHP framework with a very small footprint,
built for PHP coders who need a simple and elegant toolkit to create
full-featured web applications.
(http://www.codeigniter.com)

1. _sanitize_globals() global variables unsetting
By setting e.g. "_SERVER=anonymous" cookie in the browser, an attacker
can cause the _sanitize_globals() method to remove $_SERVER array or
any other global variable.

Solution: fixed in SVN (28.06.2007)

2. "enable_query_strings" path traversal
$_GET["c"] variable is vulnerable to path traversal, if
enable_query_strings=TRUE is set in config.php. Example:
http://localhost/index.php?c=../../logs/log-2007-06-24

Solution: fixed in SVN (28.06.2007)

3. xss_clean() XSS vulnerability
Examples:
xss_clean('<img src=""
onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,33,39,41))">'
);
xss_clean("<x<xss>ss <scr<xss>ipt
a='>'>alert/**/('!');//*/</script</script >>");

Solution: partially fixed in SVN (26.06.2007)
I suggest using HTML Purifier in place of xss_clean()

4. redirect() header injection
redirect() function in url_helper.php is vulnerable to header
injection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example:
redirect("rnSet-Cookie: Test=X");

Solution: filter user data before passing to redirect() function (in
PHP < 4.4.2 or PHP < 5.1.2)

Best regards,
Åukasz Pilorz

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

CodeIgniter 1.5.3 vulnerabilities