CodeIgniter Forums
New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities (/thread-1988.html)



New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-10-2007

[eluser]Jumper[/eluser]
Below is a copy of a new entry in "full-disclosure" mailing list (security mailing list)
Section 3 below looks pretty bad. Especially because there is no fix even in the SVN..

Quote:CodeIgniter 1.5.3 vulnerabilities

1. _sanitize_globals() global variables unsetting By setting e.g. "_SERVER=anonymous" cookie in the browser, an attacker can cause the _sanitize_globals() method to remove $_SERVER array or any other global variable.

Solution: fixed in SVN (28.06.2007)


2. "enable_query_strings" path traversal $_GET["c"] variable is vulnerable to path traversal, if enable_query_strings=TRUE is set in config.php. Example:
http://localhost/index.php?c=../../logs/log-2007-06-24

Solution: fixed in SVN (28.06.2007)


3. xss_clean() XSS vulnerability
Examples:
xss_clean('ss <script
a='>'>alert/**/('!');//*/</script</script >>");

Solution: partially fixed in SVN (26.06.2007) I suggest using HTML Purifier in place of xss_clean()


4. redirect() header injection
redirect() function in url_helper.php is vulnerable to header injection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example:
redirect("\r\nSet-Cookie: Test=X");

Solution: filter user data before passing to redirect() function (in PHP < 4.4.2 or PHP < 5.1.2)


Best regards,
Łukasz Pilorz



New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-11-2007

[eluser]Bruno França[/eluser]
CodeIgniter 1.5.3 vulnerabilities
Take a look at: http://www.securityfocus.com/archive/1/473190


New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-11-2007

[eluser]Paul Burdick[/eluser]
Oy. Derek Jones and Derek Allard were preparing a release for you guys and this guy could not even wait. Simply had to get his credit on numerous board and lists. Not only that but Secunia picked this up and has, as usual, more than half of its information wrong making our job that much harder.

And there is a total solution in SVN for 3) and it has been in there for a few weeks now.


New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-11-2007

[eluser]Jim OHalloran[/eluser]
Is there any word on when a new release which includes those fixes will be ready? Now that the vulnerabilies are public I'm fairly keen to update my apps.

Jim.


New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-11-2007

[eluser]Derek Allard[/eluser]
Hi Jim. You can update at any time from the subversion repository if you want. I know that's not for everyone though, and we're be releasing a new CI version shortly. Give us just a bit more time. In the meantime, if you want to be sure, don't enable query strings (not very typical anyhow) and grab the new input library. Obviously the new build will have more then that, but that will give you immediate help.


New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-11-2007

[eluser]Jim OHalloran[/eluser]
Thanks Derek, I don't have query strings enabled, and I'll grab the new input library in the interim. I know you guys have some changes planned for the next release so I'd rather hold of til it's ready and documented rather than just dive in with the code from subversion.

Jim.


New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-11-2007

[eluser]Derek Allard[/eluser]
Yup, I get it Wink

The new input is 100% fully workable with the rest of the CI files, so just grab that one library for now.


New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-11-2007

[eluser]Myles Wakeham[/eluser]
I don't know if this is old news or not, but I stumbled across this today:

http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064500.html

Myles


New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-12-2007

[eluser]sissy[/eluser]
thanks for the heads up... hope it gets sorted real soon.


New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities - El Forum - 07-13-2007

[eluser]david_ais[/eluser]
Can you confirm - does v1.5.4 fully address these vulnerabilities?


Regards

David Bell