FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

codeigniter -- arbitrary script execution in the new Form Validation class

Affected packages
1.7.0 <= codeigniter < 1.7.1


VuXML ID 83574d5a-f828-11dd-9fdf-0050568452ac
Discovery 2008-11-28
Entry 2009-02-11

znirkel reports:

The eval() function in _reset_post_array crashes when posting certain data. By passing in carefully-crafted input data, the eval() function could also execute malicious PHP code.

Note that CodeIgniter applications that either do not use the new Form Validation class or use the old Validation class are not affected by this vulnerability.