CodeIgniter Forums
Server Overload Risk Vulnerability Fixes - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: CodeIgniter 2.x (https://forum.codeigniter.com/forumdisplay.php?fid=18)
+--- Thread: Server Overload Risk Vulnerability Fixes (/showthread.php?tid=90942)



Server Overload Risk Vulnerability Fixes - Dialedin - 05-25-2024

We've identified and patched a vulnerability in the "Server Overload Risk Fixes" of CodeIgniter 2.6 that could potentially lead to Denial of Service (DoS) attacks. This vulnerability allows an attacker to consume a large amount of memory on the server.

Vulnerability Details: Fix Description:
We've developed a fix for this vulnerability that involves modifying two core files: Router.php 
and URI.php. The fix ensures that regular expressions used in routing and URI validation are properly anchored to prevent malicious exploitation.

Patch:

Code:
diff --git a/system/core/Router.php b/system/core/Router.php
index b39dc16..d1c8b50 100755
--- a/system/core/Router.php
+++ b/system/core/Router.php
@@ -379,12 +379,12 @@ class CI_Router {
            $key = str_replace(':any', '.+', str_replace(':num', '[0-9]+', $key));

            // Does the RegEx match?
-            if (preg_match('#^'.$key.'$#', $uri))
+            if (preg_match('#\A'.$key.'\z#u', $uri))
            {
                // Do we have a back-reference?
                if (strpos($val, '$') !== FALSE AND strpos($key, '(') !== FALSE)
                {
-                    $val = preg_replace('#^'.$key.'$#', $val, $uri);
+                    $val = preg_replace('#\A'.$key.'\z#u', $val, $uri);
                }

                return $this->_set_request(explode('/', $val));
diff --git a/system/core/URI.php b/system/core/URI.php
index a66cd71..cf38e17 100755
--- a/system/core/URI.php
+++ b/system/core/URI.php
@@ -255,7 +255,7 @@ class CI_URI {
        {
            // preg_quote() in PHP 5.3 escapes -, so the str_replace() and addition of - to preg_quote() is to maintain backwards
            // compatibility as many are unaware of how characters in the permitted_uri_chars will be parsed as a regex pattern
-            if ( ! preg_match("|^[".str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-'))."]+$|i", $str))
+            if ( ! preg_match("/\A[".str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-'))."]+\z/iu", $str))
            {
                show_error('The URI you submitted has disallowed characters.', 400);
            }
--
2.34.1

Thank you for your attention to this matter and your continued support of CodeIgniter.

Best regards.


RE: Server Overload Risk Vulnerability Fixes - kenjis - 05-25-2024

It seems you just changed "^...$" to "\A...\z" and added `u` option.
Could you elaborate about the DoS attacks?


RE: Server Overload Risk Vulnerability Fixes - Bosborne - 05-26-2024

How do you expect us to believe you are concerned about vulnerabilities when you run code that is so outdated & vulnerable? Why spend time painting the walls while the house is burning??

You are probably running a very vulnerable PHP version too. I doubt CI 2.6 will run on PHP 8.2 or 8.3.

The fix is to upgrade to CI4 & PHP 8.