| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
| url |
VCID-fpcv-9quu-8fe2 |
| vulnerability_id |
VCID-fpcv-9quu-8fe2 |
| summary |
CodeIgniter Shield Vulnerable to SameSite Attackers Bypassing the CSRF Protection
### Impact
This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield.
For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`).
This vulnerability exists whether `Config\Security::$csrfProtection` is `'cookie'` or `'session'`.
It is also exploitable whether `Config\Security::$regenerate` is `true` or `false`.
### Patches
Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**.
### Workarounds
Do all of the following:
- set `Config\Security::$csrfProtection` to `'session'`
- remove old session data right after login (immediately after ID and password match)
- regenerate CSRF token right after login (immediately after ID and password match)
### References
- [CodeIgniter4 CSRF Protection](https://codeigniter4.github.io/userguide/libraries/security.html)
- [SameSite Attacks](https://canitakeyoursubdomain.name/)
- [SameSite Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)
- [The great SameSite confusion](https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/)
### For more information
If you have any questions or comments about this advisory:
* Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield)
* Email us at [security@codeigniter.com](mailto:security@codeigniter.com) |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-35943, GHSA-5hm8-vh6r-2cjq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fpcv-9quu-8fe2 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| url |
VCID-s6nh-cvkt-vygr |
| vulnerability_id |
VCID-s6nh-cvkt-vygr |
| summary |
Generation of Error Message Containing Sensitive Information
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-46240, GHSA-hwxf-qxj7-7rfj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s6nh-cvkt-vygr |
|
| 15 |
|