Possessing an unpatched application with this vulnerability will allow remote attackers to launch a cross-site request forgery attack and potentially gain access to server functions and data. CodeIgniter uses the `form_helper()` function to parse the values of form inputs. A flaw may allow users to inject an arbitrary object into the input form, allowing remote attackers to execute arbitrary code. Users are advised to not use the `old()` function, as this will not only make the application vulnerable to SQL injection, but will also allow remote attackers to inject arbitrary objects and possibly execute arbitrary code. We are aware of a working exploit, which can lead to SQL injection.

SQL Injection (CVE-2020)

SQL injection is a type of security vulnerability that occurs when untrusted data is sent to an SQL database and the application implementing the database fails to properly sanitize the input before using it in an SQL query. An attacker can use SQL injection to gain unauthorized access to data by inserting or manipulating SQL queries. This vulnerability affects CodeIgniter as well as many other applications.

How do I protect my CodeIgniter installation?

The best way to protect your CodeIgniter installation from this vulnerability is to upgrade to the latest version of the application. This will not only remove the risk of SQL injection, but will also patch any other potential security vulnerabilities.
You could also disable remote execution via HTTP in `form_helper()` and make sure you are sending forms with content that is either static or properly encoded.

References _https://www.vulndiscovery.com/2018/11/CVE-2022-21647

To avoid the mistakes that people make when outsourcing SEO, it's important to understand how search engines evaluate your business' content and where you could change your current content to better align with search engine standards. Outsourcing SEO offers a way for companies to identify key strategic goals and then leave the complex process of meeting those goals to industry experts.


Published on: 01/04/2022 20:15:00 UTC
Last modified on: 01/20/2022 15:04:00 UTC