-
Notifications
You must be signed in to change notification settings - Fork 935
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection in Code Igniter used by PyroCMS #3278
Comments
|
Its fine, I have other more 'critical' vulnerabilities that I will not share with you, I'm happy to just keep them private or maybe I will just release a fully weaponized exploit just, you know, for your weeping pleasure. |
Hey @Net-ninja - thanks for the heads up man. If you would like to share them directly - feel free to email me at ryan@aiwebsystems.com - I will be glad to review and share with the team. Kinds regards, Ryan |
@Net-ninja: It is incredibly standard practice across open-source to report potential security bugs to the development team in a responsible manner. Maybe we should put together a page like Drupal, so that people know that? https://drupal.org/security-team/report-issue Regardless, if you would like to send us an email then that would be very much appreciated. You can address it to phil@pyrocms.com or get in touch with Ryan. Either way please do not post security issues publicly or you are putting people at risk, which is reckless and selfish. |
I have tested this out, confirmed the issue is in 2.2/develop, and pushed a fix to that branch. We'll be releasing 2.2.4 very soon, so this will not be a problem for long. That said I did have trouble trying to find effective attack vectors. Thanks to CodeIgniter being completely unable to allow multiple queries, early termination is ineffective as it just calls it a syntax error. We are safe from our admins trying to bobby tables the website, and they are unable to expose information due to the placement of the item being a where condition. Definitely a problem, definitely something that should be fixed, definitely worth pointing it out, but any of our users that wander onto this issue should not be scared. Your admin users (or moderators) could potentially spam your DB with a fair few sleep requests and max out the DB connections, but nothing too destructive it seems. This is yet another reason why jumping ship on CodeIgniter is a great idea. Their DB system has been plagued with bugs for a while, and this issue is not something that surprises me too much. |
@RyanThompson Np buddie, any bug I come up with I will report to you its a shame you work with people like @philsturgeon. 'admin bobby tables, sheesh'. @philsturgeon If I get a chance, i'll write that remote exploit and share it with a few friends :-) ill make sure it affects the 'Professional' edition too. |
I am not particularly sure what your problem here is Steven?— On Fri, Apr 25, 2014 at 9:48 PM, Steven Seeley notifications@github.com
|
Hey @Net-ninja, so you know how to run metasploit-framework whoop!, does that give you any real power or knowledge.. no.. so get off your high-horse, and be apart of the community. NOTE: Usually you would report it to the vendor(PyroCMS) in private first, and give them proper time to fix it before you release it to the public.. |
There is no high horse about it. He wants to be treated with the same respect as any other human being. I am what I would consider a pretty damn good developer and even better businessman and leader. I know all about preventing vulnerabilities but not much at all about sniffing them out or exploring them let alone formulating an attack on one. So if I were to do the same thing.. I'd be somewhat pissed at the general response too. This skill, in my opinion is of great value and any information on this front should be swiftly met with a kind thank you first and foremost. Along with some probing questions if needed and a kind reminder to keep this out of the public eye. I would have posted it here. I don't know any better. It's not my thing. Furthermore we don't have a security section, a security email even and our contribution says it should come through GitHub and codeigniter is grossly outdated. Shame on us for that matter. Can't assume he knows. So say thanks, remind / inform him and see about deleting he public view and make it easier going forward. That's what I have to say about it anyways.. |
Maybe it's my mistake. I thought it was generally an understood norm in the industry that you don't post security issues in a public forum. I've discovered bugs in other systems and just poked people via email. We've had a few people do the same over the years. It's never been a problem and I've never faced any confusion on the subject. I'm not trying to give anyone a hard time, but there is obvious frustration that somebody would post a security issue directly online. This was the second in a day and the first guy posted a blog about it! When I pointed this out here the response was a combination of weird threats and promises of attacks. Not sure what that is all about. If it's because I didn't put enough thank your in my response then I'm sorry about that. I don't like threats, but I appreciate contributions in any form. Cheers. On Sat, Apr 26, 2014 at 12:50 AM, Ryan Thompson notifications@github.com
|
@RyanThompson You couldnt be more spot on.
kind regards, mr_me |
Well, hang on. You say "There is no 'norm' for reporting security issues." but then you say "if I had known of a security@ mailing address, you can be assured I would have just sent a private email", so... there is a norm, and if it isn't a norm for the industry then you do at least know yourself that these things should not be done publicly. :)
I didn't say anything about "metasploit", you're thinking of @ryun. Anyway, you've seen offense in something I've said, which is unfortunate. Thank you again for your contribution. I'll have security@pyrocms.com point to me, and list something in the contribution.md immediately. |
Glad we are all sorted. |
Given that the bug is actually in Code Igniter and has been patched some time ago (2 years actually) see: nonchip/CodeIgniter@e273dc5, you should really update the version of Code Igniter.
The following Proof of Concept demonstrates exploitation of the vulnerability, although currently administrative access is required:
Kind regards,
Steven Seeley
The text was updated successfully, but these errors were encountered: