CodeIgniter is a powerful PHP framework with a very small footprint,built for PHP coders who need a simple and elegant toolkit to createfull-featured web applications.(http://www.codeigniter.com) 1. _sanitize_globals() global variables unsettingBy setting e.g. "_SERVER=anonymous" cookie in the browser, an attackercan cause the _sanitize_globals() method to remove $_SERVER array orany other global variable. Solution: fixed in SVN (28.06.2007) 2. "enable_query_strings" path traversal$_GET["c"] variable is vulnerable to path traversal, ifenable_query_strings=TRUE is set in config.php. Example:http://localhost/index.php?c=../../logs/log-2007-06-24 Solution: fixed in SVN (28.06.2007) 3. xss_clean() XSS vulnerabilityExamples:xss_clean('<img src=""onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,33,39,41))">');xss_clean("<x<xss>ss <scr<xss>ipta='>'>alert/**/('!');//*/</script</script >>"); Solution: partially fixed in SVN (26.06.2007)I suggest using HTML Purifier in place of xss_clean() 4. redirect() header injectionredirect() function in url_helper.php is vulnerable to headerinjection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example:redirect("\r\nSet-Cookie: Test=X"); Solution: filter user data before passing to redirect() function (inPHP < 4.4.2 or PHP < 5.1.2) Best regards,Łukasz Pilorz
