Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: CodeIgniter Global XSS Filtering Bypass Vulnerability
From: T Biehn <tbiehn () gmail com>
Date: Mon, 27 Jul 2009 16:04:12 -0400

This is a joke, right?

-Travis

On Mon, Jul 27, 2009 at 11:53 AM, YGN Ethical Hacker Group
(http://yehg.net)<lists () yehg net> wrote:
========================================

CodeIgniter Global XSS Filtering Bypass Vulnerability

========================================

Discovered by:
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure

Product : CodeIgniter < http://www.codeigniter.com>
Product Description : Open-source PHP Framework
Pen-Tested Version : 1.5.2
Vulnerability : User-Agent injection
Risk : Medium
Threat : XSS, Log File Tampering

Advisory URL: http://yehg.net/lab/pr0js/view.php/CodeIgniter%20Global%20XSS%20Filtering%20Bypass%20Vulnerability.pdf

Description:
$CI->input->user_agent() fails to check the validity of user-agent type.
It simply extracts from $_SERVER array without checking whether it is
bad string injection or not. In this case, we can spoof user agent
string of our browser with our arbitrary commands that can bypass
stronger CodeIgniter Security class even if
$config['global_xss_filtering'] = TRUE;. Thus we can execute XSS on
the fly.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]