CodeIgniter 1.5.3 vulnerabilities

2007.07.14
Credit: Lukasz Pilorz
Risk: High
Local: Yes
Remote: Yes
CWE: N/A

CodeIgniter is a powerful PHP framework with a very small footprint, built for PHP coders who need a simple and elegant toolkit to create full-featured web applications. (http://www.codeigniter.com) 1. _sanitize_globals() global variables unsetting By setting e.g. "_SERVER=anonymous" cookie in the browser, an attacker can cause the _sanitize_globals() method to remove $_SERVER array or any other global variable. Solution: fixed in SVN (28.06.2007) 2. "enable_query_strings" path traversal $_GET["c"] variable is vulnerable to path traversal, if enable_query_strings=TRUE is set in config.php. Example: http://localhost/index.php?c=../../logs/log-2007-06-24 Solution: fixed in SVN (28.06.2007) 3. xss_clean() XSS vulnerability Examples: xss_clean('<img src="" onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,33,39,41))">' ); xss_clean("<x<xss>ss <scr<xss>ipt a='>'>alert/**/('!');//*/</script</script >>"); Solution: partially fixed in SVN (26.06.2007) I suggest using HTML Purifier in place of xss_clean() 4. redirect() header injection redirect() function in url_helper.php is vulnerable to header injection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example: redirect("\r\nSet-Cookie: Test=X"); Solution: filter user data before passing to redirect() function (in PHP < 4.4.2 or PHP < 5.1.2) Best regards, ?&#129;ukasz Pilorz


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top