Full Disclosure mailing list archives
Re: CodeIgniter Global XSS Filtering Bypass Vulnerability
From: T Biehn <tbiehn () gmail com>
Date: Mon, 27 Jul 2009 16:04:12 -0400
This is a joke, right? -Travis On Mon, Jul 27, 2009 at 11:53 AM, YGN Ethical Hacker Group (http://yehg.net)<lists () yehg net> wrote:
======================================== CodeIgniter Global XSS Filtering Bypass Vulnerability ======================================== Discovered by: Aung Khant, YGN Ethical Hacker Group, Myanmar http://yehg.net/ ~ believe in full disclosure Product : CodeIgniter < http://www.codeigniter.com> Product Description : Open-source PHP Framework Pen-Tested Version : 1.5.2 Vulnerability : User-Agent injection Risk : Medium Threat : XSS, Log File Tampering Advisory URL: http://yehg.net/lab/pr0js/view.php/CodeIgniter%20Global%20XSS%20Filtering%20Bypass%20Vulnerability.pdf Description: $CI->input->user_agent() fails to check the validity of user-agent type. It simply extracts from $_SERVER array without checking whether it is bad string injection or not. In this case, we can spoof user agent string of our browser with our arbitrary commands that can bypass stronger CodeIgniter Security class even if $config['global_xss_filtering'] = TRUE;. Thus we can execute XSS on the fly. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CodeIgniter Global XSS Filtering Bypass Vulnerability YGN Ethical Hacker Group (http://yehg.net) (Jul 27)
- Re: CodeIgniter Global XSS Filtering Bypass Vulnerability T Biehn (Jul 27)