Login

Dialedin · 05-25-2024, 12:06 AM

We've identified and patched a vulnerability in the "Server Overload Risk Fixes" of CodeIgniter 2.6 that could potentially lead to Denial of Service (DoS) attacks. This vulnerability allows an attacker to consume a large amount of memory on the server.

Vulnerability Details:

Framework: CodeIgniter 2.6
Vulnerability Type: DoS (Denial of Service)
Affected Versions: Up to 2.6
CVE ID: https://www.cvedetails.com/cve/CVE-2024-29904/[url=https://www.cvedetails.com/cve/CVE-2024-29904/][/url]

Fix Description:
We've developed a fix for this vulnerability that involves modifying two core files: Router.php and URI.php. The fix ensures that regular expressions used in routing and URI validation are properly anchored to prevent malicious exploitation.

Patch:

Code:
diff --git a/system/core/Router.php b/system/core/Router.php

index b39dc16..d1c8b50 100755

--- a/system/core/Router.php

+++ b/system/core/Router.php

@@ -379,12 +379,12 @@ class CI_Router {

            $key = str_replace(':any', '.+', str_replace(':num', '[0-9]+', $key));

            // Does the RegEx match?

-            if (preg_match('#^'.$key.'$#', $uri))

+            if (preg_match('#\A'.$key.'\z#u', $uri))

            {

                // Do we have a back-reference?

                if (strpos($val, '$') !== FALSE AND strpos($key, '(') !== FALSE)

                {

-                    $val = preg_replace('#^'.$key.'$#', $val, $uri);

+                    $val = preg_replace('#\A'.$key.'\z#u', $val, $uri);

                }

                return $this->_set_request(explode('/', $val));

diff --git a/system/core/URI.php b/system/core/URI.php

index a66cd71..cf38e17 100755

--- a/system/core/URI.php

+++ b/system/core/URI.php

@@ -255,7 +255,7 @@ class CI_URI {

        {

            // preg_quote() in PHP 5.3 escapes -, so the str_replace() and addition of - to preg_quote() is to maintain backwards

            // compatibility as many are unaware of how characters in the permitted_uri_chars will be parsed as a regex pattern

-            if ( ! preg_match("|^[".str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-'))."]+$|i", $str))

+            if ( ! preg_match("/\A[".str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-'))."]+\z/iu", $str))

            {

                show_error('The URI you submitted has disallowed characters.', 400);

            }

-- 

2.34.1

Thank you for your attention to this matter and your continued support of CodeIgniter.

Best regards.