• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities

#1
[eluser]Jumper[/eluser]
Below is a copy of a new entry in "full-disclosure" mailing list (security mailing list)
Section 3 below looks pretty bad. Especially because there is no fix even in the SVN..

Quote:CodeIgniter 1.5.3 vulnerabilities

1. _sanitize_globals() global variables unsetting By setting e.g. "_SERVER=anonymous" cookie in the browser, an attacker can cause the _sanitize_globals() method to remove $_SERVER array or any other global variable.

Solution: fixed in SVN (28.06.2007)


2. "enable_query_strings" path traversal $_GET["c"] variable is vulnerable to path traversal, if enable_query_strings=TRUE is set in config.php. Example:
http://localhost/index.php?c=../../logs/log-2007-06-24

Solution: fixed in SVN (28.06.2007)


3. xss_clean() XSS vulnerability
Examples:
xss_clean('ss <script
a='>'>alert/**/('!');//*/</script</script >>");

Solution: partially fixed in SVN (26.06.2007) I suggest using HTML Purifier in place of xss_clean()


4. redirect() header injection
redirect() function in url_helper.php is vulnerable to header injection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example:
redirect("\r\nSet-Cookie: Test=X");

Solution: filter user data before passing to redirect() function (in PHP < 4.4.2 or PHP < 5.1.2)


Best regards,
Łukasz Pilorz

#2
[eluser]Bruno França[/eluser]
CodeIgniter 1.5.3 vulnerabilities
Take a look at: http://www.securityfocus.com/archive/1/473190

#3
[eluser]Paul Burdick[/eluser]
Oy. Derek Jones and Derek Allard were preparing a release for you guys and this guy could not even wait. Simply had to get his credit on numerous board and lists. Not only that but Secunia picked this up and has, as usual, more than half of its information wrong making our job that much harder.

And there is a total solution in SVN for 3) and it has been in there for a few weeks now.

#4
[eluser]Jim OHalloran[/eluser]
Is there any word on when a new release which includes those fixes will be ready? Now that the vulnerabilies are public I'm fairly keen to update my apps.

Jim.

#5
[eluser]Derek Allard[/eluser]
Hi Jim. You can update at any time from the subversion repository if you want. I know that's not for everyone though, and we're be releasing a new CI version shortly. Give us just a bit more time. In the meantime, if you want to be sure, don't enable query strings (not very typical anyhow) and grab the new input library. Obviously the new build will have more then that, but that will give you immediate help.

#6
[eluser]Jim OHalloran[/eluser]
Thanks Derek, I don't have query strings enabled, and I'll grab the new input library in the interim. I know you guys have some changes planned for the next release so I'd rather hold of til it's ready and documented rather than just dive in with the code from subversion.

Jim.

#7
[eluser]Derek Allard[/eluser]
Yup, I get it Wink

The new input is 100% fully workable with the rest of the CI files, so just grab that one library for now.

#8
[eluser]Myles Wakeham[/eluser]
I don't know if this is old news or not, but I stumbled across this today:

http://lists.grok.org.uk/pipermail/full-...64500.html

Myles

#9
[eluser]sissy[/eluser]
thanks for the heads up... hope it gets sorted real soon.

#10
[eluser]david_ais[/eluser]
Can you confirm - does v1.5.4 fully address these vulnerabilities?


Regards

David Bell


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.