This is a security advisory for popular PHP framework - CodeIgniter. I've found several bypasses in xss sanitization functions in the framework. These were responsibly disclosed to the vendor and are now fixed in version 2.1.2. (CVE-2012-1915).
Showing posts with label advisory. Show all posts
Showing posts with label advisory. Show all posts
Thursday, July 19, 2012
Monday, October 31, 2011
Piwik ≤ 1.5.1 multiple XSS vulnerabilities
Some time ago I discovered a few interesting XSS vulnerabilities in Piwik Open Source Web Analytics software. Thanks to developers, all of those are now fixed in Piwik 1.6. But nonetheless, these are not the usual XSS cases, so I found them interesting enough to publish this.
Piwik is a downloadable, open source (GPL licensed) real time web analytics software program. It provides you with detailed reports on your website visitors: the search engines and keywords they used, the language they speak, your popular pages… and so much more.
Piwik aims to be an open source alternative to Google Analytics, and is already used on more than 150,000 websites.
Piwik is a downloadable, open source (GPL licensed) real time web analytics software program. It provides you with detailed reports on your website visitors: the search engines and keywords they used, the language they speak, your popular pages… and so much more.
Piwik aims to be an open source alternative to Google Analytics, and is already used on more than 150,000 websites.
Saturday, June 18, 2011
File path injection in PHP ≤ 5.3.6 file upload (CVE 2011-2202)
Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported - together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future :)
My thanks go to Paweł Goleń who helped analyze the vulnerability.
However, in 2008 PHP developers made a off-by-one error, and, as a result, if a name starts with \ or / and has no other (back)slashes, it's left as-is. So, this allows for:
My thanks go to Paweł Goleń who helped analyze the vulnerability.
The PHP Part
The whole issue is tracked as PHP bug #54939, but the website is now down. The exemplary exploit is at pastebin. The nature of the bug is simple. PHP claims to remove the path component from HTTP file upload forms (transferred as MIME multipart/form-data requests), leaving only the file name given by the user agent. This is both for security, and to fix MSIE incompatibility (IE used to send full path like this: c:\WINDOWS\WHATEVER\My_file.txt).However, in 2008 PHP developers made a off-by-one error, and, as a result, if a name starts with \ or / and has no other (back)slashes, it's left as-is. So, this allows for:
- /vmlinuz
- /autorun.inf (/ will map to C:\ in WINDOWS - the drive where your PHP is run from)
- /boot.ini
Subscribe to:
Posts (Atom)
Posts
