CodeIgniter Forums
Is codeigniter vulnerable to XSS attacks through input->user_agent()? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: Is codeigniter vulnerable to XSS attacks through input->user_agent()? (/showthread.php?tid=27562)



Is codeigniter vulnerable to XSS attacks through input->user_agent()? - El Forum - 02-14-2010

[eluser]ChiefChirpa[/eluser]
According to http://seclists.org/fulldisclosure/2009/Jul/422 :

Quote:$CI->input->user_agent() fails to check the validity of user-agent type.
It simply extracts from $_SERVER array without checking whether it is
bad string injection or not. In this case, we can spoof user agent
string of our browser with our arbitrary commands that can bypass
stronger CodeIgniter Security class even if
$config['global_xss_filtering'] = TRUE;. Thus we can execute XSS on
the fly.

Is this correct? because the session class, tank_auth, etc all call $CI->input->user_agent(), without running it through input->xss_clean()...

The method in question (from 1.72):

Code:
function user_agent()
    {
        if ($this->user_agent !== FALSE)
        {
            return $this->user_agent;
        }

        $this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT'];

        return $this->user_agent;
    }

It seems correct to me...