[eluser]Patrick Savalle[/eluser]
It is possible to inject code into the CSRF parameter of the CI-FORMS. This code will be send back to the browser in the reply. The preg_match in the code-snippet will fix it. Put this in /system/libraries/Security.php (replace original piece of code)
Code:
private function _csrf_set_hash()
{
if ($this->csrf_hash == '')
{
// If the cookie exists we will use it's value. We don't necessarily want to regenerate it with
// each page load since a page could contain embedded sub-pages causing this feature to fail
if (isset($_COOKIE[$this->csrf_cookie_name]) AND preg_match( '#^[0-9a-f]{32}$#iS', $_COOKIE[$this->csrf_cookie_name] ) > 0)
{
$this->csrf_hash = $_COOKIE[$this->csrf_cookie_name];
}
else
{
$this->csrf_hash = md5(uniqid(rand(), TRUE));
}
}
return $this->csrf_hash;
}
}