[eluser]Jumper[/eluser]
Below is a copy of a new entry in "full-disclosure" mailing list (security mailing list)
Section 3 below looks pretty bad. Especially because there is no fix even in the SVN..
Quote:CodeIgniter 1.5.3 vulnerabilities
1. _sanitize_globals() global variables unsetting By setting e.g. "_SERVER=anonymous" cookie in the browser, an attacker can cause the _sanitize_globals() method to remove $_SERVER array or any other global variable.
Solution: fixed in SVN (28.06.2007)
2. "enable_query_strings" path traversal $_GET["c"] variable is vulnerable to path traversal, if enable_query_strings=TRUE is set in config.php. Example:
http://localhost/index.php?c=../../logs/log-2007-06-24
Solution: fixed in SVN (28.06.2007)
3. xss_clean() XSS vulnerability
Examples:
xss_clean('ss <script
a='>'>alert/**/('!');//*/</script</script >>");
Solution: partially fixed in SVN (26.06.2007) I suggest using HTML Purifier in place of xss_clean()
4. redirect() header injection
redirect() function in url_helper.php is vulnerable to header injection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example:
redirect("\r\nSet-Cookie: Test=X");
Solution: filter user data before passing to redirect() function (in PHP < 4.4.2 or PHP < 5.1.2)
Best regards,
Ćukasz Pilorz
