Love Fuel?    Donate

Security Advisories

Reported or discovered security issues. Did you discover one? Use the contact form to report it, so it can be addressed.
Updated: 27-09-2016

Security Advisories

SEC-CORE-007: ImageMagick driver does not escape all shell arguments

This vulnerability may cause OS commands to be executed when you pass unvalidated image filenames containing specially crafted strings to the ImageMagick driver.

All released versions starting with 1.1 are affected. The issue will be addressed in hotfix v1.8.0.4. You can modify ealier versions by implementing the changes from this change.

ASAI Ken
29-06-2016
 
<= 1.8.0

SEC-CORE-006: Monolog version used has vulnerabilities

The default composer.json file installs Monolog v1.5, which contains known vulnerabilities. Monolog will be upgraded to v1.18 in the next release. You can do this yourself now by manually changing your composer.json, and run "composer update".

Kenji Suzuki
01-05-2016
 
<= 1.8.0

SEC-CORE-005: specially crafted sessions can cause access to files via path traveral

Using a special crafted cURL request it is under strict conditions possible to access arbitrary files the webserver has access to. This requires you to use file-based sessions, a specific directory to exist on your server, and session payload encryption to be switched off.

All released versions starting with 1.0 are affected. Given the severity, this will been addressed in next release. You can modify current and earlier versions by applying this change.

Takayuki Uchiyama (JPCERT/CC)
18-06-2015
 
<= 1.7.3

SEC-CORE-004: auto-format of Curl responses may lead to code execution

When executing a cURL request using the Request_Curl class with an unvalidated URL provided by user input, or a request to a malicious or a legitimate but hacked website, a specially crafted response can lead to auto-execution of malicious code, due to the way the auto formatting mechanism works.

All released versions starting with 1.1 are affected. This will been addressed in the 1.7.2 codebase, where the default will be changed to not automatically format the response. This can be modified in earlier versions by applying this change.

Since this will disable auto-format, you have to scan your code for instances of Request_Curl, and either use set_format(true) to re-enable auto-formatting on a per instance basis (only do this if you are absolutely sure you can trust the source of the response), or add additional code after the execute() call to validate the contents of the response body, and convert it to the correct format manually only after succesful validation.

Masaki Chida (GREE, Inc.)
01-05-2014
 
<= 1.7.1

SEC-CORE-003: $_GET not cleaned when parsed from REQUEST_URI

When none of the default methods of determining the request URI have succeeded, the framework will fallback to parsing the raw request URI as passed by the webserver. If this URI has a query string, it will be parsed and $_GET will be updated. In this process, the $_GET variables are not cleaned, making it possible to inject malicious data.

All released versions are affected. This will been addressed in the 1.7.1 codebase, and can be fixed in earlier versions by applying this change

Sergey Calugher, who also provided the fix
09-11-2013
 
<= 1.7

SEC-CORE-002: xss_clean() doesn't clean unicode EM-spaces

On some browsers, this can cause javascript execution if send unencoded to the browser. Since FuelPHP encodes everything send to a view by default, we don't think it's an immediate risk.

All released versions are affected. XSS cleaning in FuelPHP is done by the external library htmlLawed. We have been in contact with the author, who has fixed this in release v1.1.16. This release is included in the 1.7 codebasse. You can upgrade manually by replacing "./fuel/core/vendor/htmlawed/htmlawed.php" (note the lowercase!)

Takeshi Terada, Mitsui Bussan Secure Directions, Inc.
24-08-2013
 
<= 1.6.1

SEC-CORE-001: DB quote_identifier(), possible injection

The method "quote_identifier()" which is used in the DB class to make sure identifiers are quoted can be vulnerable for injection if uncleaned GET variables are passed to it, due to the way preg_replace() has been used with the "/e" modifier.

All released versions are affected. This has been addressed in the 1.7 codebase, and can be fixed in earlier versions by applying this change.

Takeshi Terada, Mitsui Bussan Secure Directions, Inc.
24-08-2013
 
<= 1.6.1