CodeIgniter 4 Deserialization Vulnerability in the 'old()' Function Allowing Object Injection and Potential SQL Injection

A deserialization vulnerability has been identified in CodeIgniter 4 versions prior to 4.1.6, specifically within the 'old()' function. This issue allows remote attackers to inject auto-loadable arbitrary objects, which could lead to the execution of existing PHP code on the server. There is a known exploit for this vulnerability that can result in SQL injection.

Impact

Exploitation of this vulnerability could lead to unauthorized object injection, execution of PHP code, and SQL injection vulnerabilities.

Reproduction

The vulnerability can be reproduced by calling the 'old()' function with a parameter that includes serialized data. This can be done through a request that is processed by CodeIgniter 4, such as a form submission or a direct HTTP request. The injected serialized data should include an object that can be autoloaded, which will be deserialized by the 'old()' function, exploiting the vulnerability.

Remediation

Users are advised to upgrade to CodeIgniter 4 version 4.1.6 or later. For those unable to upgrade, it is recommended to avoid using the 'old()' function with the form_helper, as well as 'RedirectResponse::withInput()' and 'redirect()->withInput()'.