Text : ========================================
CodeIgniter Global XSS Filtering Bypass Vulnerability
========================================
Discovered by:
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure
Product : CodeIgniter < http://www.codeigniter.com>
Product Description : Open-source PHP Framework
Pen-Tested Version : 1.5.2
Vulnerability : User-Agent injection
Risk : Medium
Threat : XSS, Log File Tampering
Advisory URL:
http://yehg.net/lab/pr0js/view.php/CodeIgniter%20Global%20XSS%20Filtering%2
0Bypass%20Vulnerability.pdf
Description:
$CI->input->user_agent() fails to check the validity of user-agent
type.It simply extracts from $_SERVER array without checking whether it is
bad string injection or not. In this case, we can spoof user agent string
of our browser with our arbitrary commands that can bypass stronger
CodeIgniter Security class even if $config['global_xss_filtering'] = TRUE;.
Thus we can execute XSS on the fly.