CODEWITHSUNDEEP
securitycodeigniterxss
Vitaliy
Vitaliy

Reputation: 331

Codeigniter xss vulnerabilities and other problems with security

When i scanned my site with "Acunetix Web Vulnerability Scanner" i was very surprised. Programm show a lot of xss vulnerabilities on page when i use get parameters with xss filtration. For example: 

URL encoded GET input state was set to " onmouseover=prompt(967567) bad="
The input is reflected inside a tag parameter between double quotes.

I think its because i don`t show 404 error when result is empty (it should be). I show message like "the request is empty"

My controller:

$this->pagination->initialize($config); 
    $this->load->model('aircraft_model');

    $data['type'] = $this->input->get('type', TRUE);
    $data['year'] = $this->input->get('year', TRUE);
    $data['state'] = $this->input->get('state', TRUE);
        $type_param = array (
        'type'    => $this->input->get('type', TRUE),
        );

        $parameters = array(
        'year'    => $this->input->get('year', TRUE),
        'state_id'   => $this->input->get('state', TRUE),
        );
        foreach ($parameters as $key=>$val)
                {
                    if(!$parameters[$key])
                    {
                        unset($parameters[$key]);
                    }
                }

    $data['aircraft'] = $this->aircraft_model->get_aircraft($config['per_page'], $this->uri->segment(3, 1),$parameters, $type_param);
    $data['title'] = 'Самолеты | ';
    $data['error'] = '';
    if (empty($data['aircraft']))
    {
       $data['error'] = '<br /><div class="alert alert-info"><b>По таким критериям не найдено ниодного самолета</b></div>';
    }

    $name = 'aircraft';
    $this->template->index_view($data, $name);

even when i turn on global xss filtering program find xss vulnerabilities. Maybe Message for possible xss is false?

Also i have one SQL injection. 

Attack details:
Path Fragment input / was set to \
Error message found: 
You have an error in your SQL syntax

SQL error:

Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10, 10' at line 3
SELECT * FROM (`db_cyclopedia`) LIMIT -10, 10

Controller:

$this->load->model('cyclopedia_model');
    $this->load->library('pagination');
    $config['use_page_numbers'] = TRUE;

    [pagination config]

    $config['suffix'] = '/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");

    $config['base_url'] = base_url().'cyclopedia/page/';
    $count_all = $this->cyclopedia_model->count_all($this->input->get('type', TRUE));
    if (!empty($count_all)){
    $config['total_rows'] = $count_all;    
    }
    else
    {
    $config['total_rows'] = $this->db->count_all('cyclopedia');
    }
    $config['per_page'] = 10;
    $config['first_url'] = base_url().'cyclopedia/page/1'.'/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");

    $this->pagination->initialize($config); 

        $parameters = array(
        'cyclopedia_cat_id' => $this->input->get('type', TRUE),
        );
        foreach ($parameters as $key=>$val)
                {
                    if(!$parameters[$key])
                    {
                        unset($parameters[$key]);
                    }
                }
    $data['type'] = $this->input->get('type', TRUE);   
    $data['cyclopedia'] = $this->cyclopedia_model->get_cyclopedia($config['per_page'], $this->uri->segment(3, 1),$parameters);
    $data['title'] = 'Энциклопедия | ';
    if (empty($data['cyclopedia']))
    {
        show_404();
    }

    $name = 'cyclopedia';
    $this->template->index_view($data, $name);

And one some problems with HTTP Parameter Pollution (get parameters).

Attack details
URL encoded GET input state was set to &n954725=v953060
Parameter precedence: last occurrence
Affected link: /aircraft/grid/?type=&year=&state=&n954725=v953060
Affected parameter: type=

Sorry for a lot of code, but its my first experience with codeigniter / framework and safety first.

UPDATE: When site url like this site.com/1 codeigniter show:

An Error Was Encountered
Unable to load your default controller. Please make sure the controller specified in your Routes.php file is valid.

how to make a show 404 instead of this message?

Upvotes: 2

Views: 4607

Answers (1)

bobince
bobince

Reputation: 536369

This takes input from the user:

$config['first_url'] = base_url().'cyclopedia/page/1'.'/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");

Then this line in the Pagination.php library spits it into the output page without proper HTML-escaping:

$output .= $this->first_tag_open.'<a '.$this->anchor_class.'href="'.$first_url.'">'.$this->first_link.'</a>'.$this->first_tag_close;

Although automated scanning tools do generate a lot of false positives in general, this one is a genuine HTML-injection vulnerability leading to a real risk of cross-site scripting attacks.

To fix, wrap all output being injected into HTML context (eg $first_url) with htmlspecialchars(). Unfortunately as this is library code you would have to start your own fork of Pagination. Might be better to use some other library.

Don't rely on xss_clean as it can't reliably protect you. It is attempting to deal with output problems at the input layer, which is never going to work right - it'll miss attacks as well as mangling perfectly valid input. The whole idea betrays a basic, rookie misunderstanding of what the XSS problem actually is.

There are more places in Pagination that need the same fix, but I don't want to spend any more time reading CodeIgniter's painfully poor-quality code than I have to.

I do not understand how CodeIgniter has attained this degree of popularity.

Upvotes: 2

Related Questions