9 matches found
Unzip vulnerable to slip-zip attack
When extracting a ZIP file using the Unzip class, a prepared zip file could overwrite arbitrary files as the basedir wasn't enforced. All released versions starting with 1.0 are affected. The issue is addressed in release v1.8.1.6. You can modify earlier versions by implementing the changes from...
auto-format of Curl responses may lead to code execution
When executing a cURL request using the RequestCurl class with an unvalidated URL provided by user input, or a request to a malicious or a legitimate but hacked website, a specially crafted response can lead to auto-execution of malicious code, due to the way the auto formatting mechanism works...
xss_clean() doesn't clean unicode EM-spaces
On some browsers, this can cause javascript execution if send unencoded to the browser. Since FuelPHP encodes everything send to a view by default, we don't think it's an immediate risk. All released versions are affected. XSS cleaning in FuelPHP is done by the external library htmlLawed. We have...
Crypt encryption compromised
With the right knowledge, code, and GPU calculation power, Crypt encryption can be broken in minutes. All released versions starting with 1.0 are affected. The issue will be addressed in release v1.8.1. You can modify earlier versions by implementing the changes from this change, and install the...
Monolog version used has vulnerabilities
The default composer.json file installs Monolog v1.5, which contains known vulnerabilities. Monolog will be upgraded to v1.18 in the next release. You can do this yourself now by manually changing your composer.json, and run "composer update"...
specially crafted sessions can cause access to files via path traveral
Using a special crafted cURL request it is under strict conditions possible to access arbitrary files the webserver has access to. This requires you to use file-based sessions, a specific directory to exist on your server, and session payload encryption to be switched off. All released versions...
DB quote_identifier(), possible injection
The method "quoteidentifier" which is used in the DB class to make sure identifiers are quoted can be vulnerable for injection if uncleaned GET variables are passed to it, due to the way pregreplace has been used with the "/e" modifier. All released versions are affected. This has been addressed ...
$_GET not cleaned when parsed from REQUEST_URI
When none of the default methods of determining the request URI have succeeded, the framework will fallback to parsing the raw request URI as passed by the webserver. If this URI has a query string, it will be parsed and $GET will be updated. In this process, the $GET variables are not cleaned,...
ImageMagick driver does not escape all shell arguments
This vulnerability may cause OS commands to be executed when you pass unvalidated image filenames containing specially crafted strings to the ImageMagick driver. All released versions starting with 1.1 are affected. The issue will be addressed in hotfix v1.8.0.4. You can modify ealier versions by...