CodeIgniter 2.1 – ‘xss_clean()’ Filter Security Bypass

• Exploit Database
• 12 阅读

• 作者： Krzysztof Kotowicz
  日期： 2012-07-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37521/

• source: https://www.securityfocus.com/bid/54620/info
  
  CodeIgniter is prone to a security-bypass vulnerability.
  
  An attacker can exploit this issue to bypass XSS filter protections and perform cross-site scripting attacks.
  
  CodeIgniter versions prior to 2.1.2 are vulnerable. 
  
  Build an application on CodeIgniter 2.1.0:
  
  // application/controllers/xssdemo.php
  <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
  
  class Xssdemo extends CI_Controller {
  
  public function index() {
  $data['xss'] =
  $this->security->xss_clean($this->input->post('xss'));
  $this->load->view('xssdemo', $data);
  }
  }
  
  // application/views/xssdemo.php
  <form method=post>
  <textarea name=xss><?php echo htmlspecialchars($xss);
  ?>&lt;/textarea&gt;
  <input type=submit />
  </form>
  <p>XSS:
  <hr />
  <?php echo $xss ?>
  
  Launch http://app-uri/index.php/xssdemo and try above vectors.