codeigniter-multi.txt

`CodeIgniter is a powerful PHP framework with a very small footprint,  
built for PHP coders who need a simple and elegant toolkit to create  
full-featured web applications.  
(http://www.codeigniter.com)  
  
  
1. _sanitize_globals() global variables unsetting  
By setting e.g. "_SERVER=anonymous" cookie in the browser, an attacker  
can cause the _sanitize_globals() method to remove $_SERVER array or  
any other global variable.  
  
Solution: fixed in SVN (28.06.2007)  
  
  
2. "enable_query_strings" path traversal  
$_GET["c"] variable is vulnerable to path traversal, if  
enable_query_strings=TRUE is set in config.php. Example:  
http://localhost/index.php?c=../../logs/log-2007-06-24  
  
Solution: fixed in SVN (28.06.2007)  
  
  
3. xss_clean() XSS vulnerability  
Examples:  
xss_clean('<img src=""  
onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,33,39,41))">');  
xss_clean("<x<xss>ss <scr<xss>ipt  
a='>'>alert/**/('!');//*/</script</script >>");  
  
Solution: partially fixed in SVN (26.06.2007)  
I suggest using HTML Purifier in place of xss_clean()  
  
  
4. redirect() header injection  
redirect() function in url_helper.php is vulnerable to header  
injection attacks (PHP < 4.4.2 or PHP < 5.1.2). Example:  
redirect("\r\nSet-Cookie: Test=X");  
  
Solution: filter user data before passing to redirect() function (in  
PHP < 4.4.2 or PHP < 5.1.2)  
  
  
Best regards,  
Łukasz Pilorz  
`