Headline
CVE-2023-48708: Insertion of Sensitive Information into Log
CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user’s authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files.
Impact
If successful login attempts are recorded, the raw tokens are stored in the log table.
If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user’s authority.
When you (1) use the following authentiactors,
- AccessTokens (tokens)
- JWT (jwt)
- HmacSha256 (hmac)
and you (2) log successful login attempts, the raw tokens are stored.
Patches
Upgrade to Shield v1.0.0-beta.8 or later.
Workarounds
Disable logging for successful login attempts by the configuration files.
- AccessTokens or HmacSha256
- Set Config\AuthToken::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
- JWT
- Set Config\AuthJWT::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
References
- https://codeigniter4.github.io/shield/getting_started/authenticators/
For more information
If you have any questions or comments about this advisory:
- Open an issue or discussion in codeigniter4/shield
- Email us at [email protected]