Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Remote Code Execution Vulnerability in 2.1.4
Remote Code Execution Vulnerability in 2.1.4
  • El Forum
    Guest
  •  
#1
05-13-2014, 07:44 AM

[eluser]Unknown[/eluser]
Last night the following vulnerability report was posted on the Full Disclosure mailing list. It outlines a timing attack again session data stored in a cookie that could lead to PHP object injection & possibly remote code execution.

http://seclists.org/fulldisclosure/2014/May/54

The poster says that it's been fixed in the dev version.

Can we get a response from EllisLab on this? How quickly can this be patched in 2.1.4?

Thanks
  • El Forum
    Guest
  •  
#2
05-13-2014, 08:23 AM

[eluser]CroNiX[/eluser]
It seems like if you used the db to store the session data it would probably prevent this as no data except the key is passed, or is able to be manipulated, via the cookie. Only the encrypted session ID is passed via cookie when using the db session method.
  • El Forum
    Guest
  •  
#3
05-16-2014, 06:37 AM

[eluser]InsiteFX[/eluser]
That's why I always use db sessions.




Theme © iAndrew 2016 - Forum software by © MyBB