Fwd: CodeIgniter <= 2.1.4 Session Decoding Vulnerability

Florian Pritz bluewind at xinu.at
Wed Jun 11 14:08:01 CEST 2014

The issue has been fixed in filebin commit 77f15dc (current master HEAD).

-------- Original Message --------
Subject: CodeIgniter <= 2.1.4 Session Decoding Vulnerability
Date: Tue, 10 Jun 2014 15:38:32 +0000
From: Robin Bailey <Robin.Bailey at dionach.com>
To: bugtraq at securityfocus.com <bugtraq at securityfocus.com>

Class                      Weak encryption
Remote                Yes
Published            6th June 2014

Credit                    Robin Bailey of Dionach (vulns at dionach.com)
Vulnerable          CodeIgniter <= 2.1.4

Session cookies created by the CodeIgniter PHP framework contain a
number of variables in a serialized PHP array. To prevent users from
tampering with this cookie two options are available: either an MD5
checksum is used or the cookie is encrypted.

If the application is configured to encrypt the cookie, it will attempt
to use 256bit AES from the Mcrypt PHP library. If this library is not
available (note that the library was not required, and was not mentioned
in the framework documentation) then it will silently fall back to using
a custom XOR based encryption.

Because the structure of the session cookie is known, and the cookie
contains a number of user-defined parameters (such as the UserAgent), it
is possible to decrypt the cookie by performing an offline brute-force
attack to obtain the (hashed) encryption key with keys of increasing
length. Real world tests showed that this takes between a few seconds
and a few minutes.

Once the encryption key has been obtained, there are a number of attacks
that can be performed:

1. The session cookie can be decrypted, which may expose session variables.
2. The cookie is passed to an unserialize() call immediately after
decryption, so PHP object injection may be possible depending on the
classes available (note that the core CodeIgniter classes are not
3. Session variables can be injected, which can lead to an
authentication bypass in some applications by injecting a "username" or
"email" session variable.

Full details of the vulnerability and proof of concept attack scripts
are available here:


After this issue was reported to the vendor (EllisLab), CodeIgniter
2.2.0 was released that removes the XOR based encryption, and required
Mcrypt if encryption is used in the application. Note that this
vulnerability can be mitigated by installing Mcrypt, as the vulnerable
code will no longer be used.


27/05/2014         Vulnerability identified
28/05/2014         Initial vendor contact
28/05/2014         Vendor response to contact
29/05/2014         Vulnerability disclosed to vendor
29/05/2014         Vendor confirms vulnerability
05/06/2014         Vendor releases patch
06/06/2014         Public disclosure of vulnerability


Disclaimer: This e-mail and any attachments are confidential.

It may contain privileged information and is intended for the named
addressee(s) only. It must not be distributed without Dionach Ltd consent.
If you are not the intended recipient, please notify the sender
immediately and destroy this e-mail.

Any unauthorised copying, disclosure or distribution of the material in
this e-mail is strictly forbidden. Unless expressly stated, opinions in
this e-mail are those of the individual sender, and not of Dionach Ltd.

Dionach Ltd, Greenford House, London Road, Wheatley, Oxford OX33 1JH
Company Registration No. 03908168, VAT No. GB750661242


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.server-speed.net/archives/filebin-general/attachments/20140611/cf3b395d/attachment.asc>

More information about the Filebin-general mailing list