TITLE:
CodeIgniter Weakness and Directory Traversal Vulnerability

SECUNIA ADVISORY ID:
SA25991

VERIFY ADVISORY:
http://secunia.com/advisories/25991/

CRITICAL:
Moderately critical

IMPACT:
Cross Site Scripting, Exposure of system information, Exposure of
sensitive information

WHERE:
From remote

SOFTWARE:
CodeIgniter 1.x
http://secunia.com/product/14742/

DESCRIPTION:
Lukasz Pilorz has reported a vulnerability and a weakness in
CodeIgniter, which can be exploited by malicious people to disclose
sensitive information and conduct cross-site scripting and header
injection attacks.

1) Input passed to the “c” parameter in index.php is not properly
sanitised before being used to display files. This can be exploited to
display arbitrary files via directory traversal attacks.

Successful exploitation requires that the “enable_query_strings” option
is enabled.

2) Input passed to the xss_clean() function is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user’s browser session in context of
an affected site.

An issue that can cause the _sanitize_globals() method to remove global
variables has also been reported.

The vulnerability and the weakness are reported in version 1.5.3. Other
versions may also be affected.

SOLUTION:
1, 2) Reportedly fixed in the SVN repository.

PROVIDED AND/OR DISCOVERED BY:
Lukasz Pilorz

ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064500.html