CodeIgniter Forums

Full Version: New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

El Forum

[eluser]Jumper[/eluser]
Below is a copy of a new entry in "full-disclosure" mailing list (security mailing list)
Section 3 below looks pretty bad. Especially because there is no fix even in the SVN..

Quote:CodeIgniter 1.5.3 vulnerabilities

1. _sanitize_globals() global variables unsetting By setting e.g. "_SERVER=anonymous" cookie in the browser, an attacker can cause the _sanitize_globals() method to remove $_SERVER array or any other global variable.

Solution: fixed in SVN (28.06.2007)


2. "enable_query_strings" path traversal $_GET["c"] variable is vulnerable to path traversal, if enable_query_strings=TRUE is set in config.php. Example:
http://localhost/index.php?c=../../logs/log-2007-06-24

Solution: fixed in SVN (28.06.2007)


3. xss_clean() XSS vulnerability
Examples:
xss_clean('ss <script
a='>'>alert/**/('!');//*/</script</script >>");

Solution: partially fixed in SVN (26.06.2007) I suggest using HTML Purifier in place of xss_clean()


4. redirect() header injection
redirect() function in url_helper.php is vulnerable to header injection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example:
redirect("\r\nSet-Cookie: Test=X");

Solution: filter user data before passing to redirect() function (in PHP < 4.4.2 or PHP < 5.1.2)


Best regards,
Łukasz Pilorz

El Forum

[eluser]Bruno França[/eluser]
CodeIgniter 1.5.3 vulnerabilities
Take a look at: http://www.securityfocus.com/archive/1/473190

El Forum

[eluser]Paul Burdick[/eluser]
Oy. Derek Jones and Derek Allard were preparing a release for you guys and this guy could not even wait. Simply had to get his credit on numerous board and lists. Not only that but Secunia picked this up and has, as usual, more than half of its information wrong making our job that much harder.

And there is a total solution in SVN for 3) and it has been in there for a few weeks now.

El Forum

[eluser]Jim OHalloran[/eluser]
Is there any word on when a new release which includes those fixes will be ready? Now that the vulnerabilies are public I'm fairly keen to update my apps.

Jim.

El Forum

[eluser]Derek Allard[/eluser]
Hi Jim. You can update at any time from the subversion repository if you want. I know that's not for everyone though, and we're be releasing a new CI version shortly. Give us just a bit more time. In the meantime, if you want to be sure, don't enable query strings (not very typical anyhow) and grab the new input library. Obviously the new build will have more then that, but that will give you immediate help.

El Forum

[eluser]Jim OHalloran[/eluser]
Thanks Derek, I don't have query strings enabled, and I'll grab the new input library in the interim. I know you guys have some changes planned for the next release so I'd rather hold of til it's ready and documented rather than just dive in with the code from subversion.

Jim.

El Forum

[eluser]Derek Allard[/eluser]
Yup, I get it Wink

The new input is 100% fully workable with the rest of the CI files, so just grab that one library for now.

El Forum

[eluser]Myles Wakeham[/eluser]
I don't know if this is old news or not, but I stumbled across this today:

http://lists.grok.org.uk/pipermail/full-...64500.html

Myles

El Forum

[eluser]sissy[/eluser]
thanks for the heads up... hope it gets sorted real soon.

El Forum

[eluser]david_ais[/eluser]
Can you confirm - does v1.5.4 fully address these vulnerabilities?


Regards

David Bell
Pages: 1 2