Package Instance

SQL Injection
Critical SQL injection bug in the ODBC database driver.

Cross-site Scripting
XSS attack vector in Security Library method `xss_clean()`.

CodeIgniter and Kohana vulnerable to PHP Object Injection
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

Critical SQL injection bug in the ODBC database driver
There's a critical SQL injection bug in the ODBC database driver.

codeigniter/framework SQL injection in ODBC database driver
CodeIgniter 3.1.0 addressed a critical security issue within the ODBC database driver. This update includes crucial fixes to mitigate a SQL injection vulnerability, preventing potential exploitation by attackers. It is noteworthy that these fixes render the query builder and escape() functions incompatible with the ODBC driver. However, the update introduces actual query binding as a more secure alternative.

CodeIgniter Shield Vulnerable to SameSite Attackers Bypassing the CSRF Protection
### Impact
This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield.

For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`).

This vulnerability exists whether `Config\Security::$csrfProtection` is `'cookie'` or `'session'`.
It is also exploitable whether `Config\Security::$regenerate` is `true` or `false`.

### Patches
Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**.

### Workarounds
Do all of the following:
- set `Config\Security::$csrfProtection` to `'session'`
- remove old session data right after login (immediately after ID and password match)
- regenerate CSRF token right after login (immediately after ID and password match)

### References
- [CodeIgniter4 CSRF Protection](https://codeigniter4.github.io/userguide/libraries/security.html)
- [SameSite Attacks](https://canitakeyoursubdomain.name/)
- [SameSite Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)
- [The great SameSite confusion](https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/)

### For more information
If you have any questions or comments about this advisory:
* Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield)
* Email us at [security@codeigniter.com](mailto:security@codeigniter.com)

XSS vulnerability
There's an XSS attack vector in Security Library method `xss_clean()`.

Inadequate XSS Prevention in CodeIgniter/Framework Security Library
The xss_clean() method in the Security Library of CodeIgniter/Framework, specifically in versions before 3.0.3, exhibited a vulnerability that allowed certain Cross-Site Scripting (XSS) vectors to bypass its intended protection mechanisms.

The xss_clean() method is designed to sanitize input data by removing potentially malicious content, thus preventing XSS attacks. However, in versions prior to 3.0.3, it was discovered that the method did not adequately mitigate specific XSS vectors, leaving a potential security gap.

Duplicate
This advisory duplicates another.

Generation of Error Message Containing Sensitive Information
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.