Login

mkannan22 · 11-06-2017, 10:41 AM

Would anyone be able to explain why or why not the preg_replace function is potentially vulnerable inside of Router.php? Specifically on line 413.

***Narf*** · 11-07-2017, 03:46 AM

As I told you yesterday, it's not vulnerable.

mkannan22 · 11-07-2017, 10:08 AM

I followed your instructions to use this forum instead. I believe this may be an issue. Could you please elaborate on your response?

dave friend · 11-07-2017, 07:49 PM

@mkannan22, You might get more traction if you would explain what you think is an issue.

***Narf*** · 11-08-2017, 03:14 AM

(11-07-2017, 10:08 AM)mkannan22 Wrote: I followed your instructions to use this forum instead. I believe this may be an issue. Could you please elaborate on your response?

My instructions were about where to ask questions for future reference.

But I had already stated that it is not vulnerable. I don't understand what you'd want me to elaborate as there's no evidence of a vulnerability.

mkannan22 · 11-08-2017, 05:33 AM

(11-08-2017, 03:14 AM)Narf Wrote:
(11-07-2017, 10:08 AM)mkannan22 Wrote: I followed your instructions to use this forum instead. I believe this may be an issue. Could you please elaborate on your response?

My instructions were about where to ask questions for future reference.

But I had already stated that it is not vulnerable. I don't understand what you'd want me to elaborate as there's no evidence of a vulnerability.

The call to preg_replace may contain untrusted input. For example, the 2nd argument contains data from an environment variable that may be abused during an HTTP request from the variable val. This environment variable originated from earlier calls to is_https and module._list_process.

Here is a sample of what I am getting at here without writing a full PoC.
https://bitquark.co.uk/blog/2013/07/23/t...eg_replace

***Narf*** · 11-08-2017, 06:17 AM

(11-08-2017, 05:33 AM)mkannan22 Wrote: The call to preg_replace may contain untrusted input. For example, the 2nd argument contains data from an environment variable that may be abused during an HTTP request from the variable val.

Nonsense. There's zero environment variables involved, and both $key and $val are explicitly declared by the developer in config/routes.php.

(11-08-2017, 05:33 AM)mkannan22 Wrote: This environment variable originated from earlier calls to is_https and module._list_process.

Literally nothing in the code in question is affected by is_https(), and I don't know what module._list_process is, but it doesn't even sound related.

(11-08-2017, 05:33 AM)mkannan22 Wrote: Here is a sample of what I am getting at here without writing a full PoC.
https://bitquark.co.uk/blog/2013/07/23/t...eg_replace

Yes, if you use raw, unvalidated user input as your regular expression in preg_replace(), bad things will happen.
Nothing like that is going on in CI_Router, and it certainly doesn't mean that every preg_replace() call should be assumed to be vulnerable code, which is basically what you're implying.