CVE-2014-8684

Severity

75%

Complexity

99%

Confidentiality

106%

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

CVSS 3.0 Base Score 9.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Overview

Type

Kohana Framework Kohana

First reported 7 years ago

2017-09-19 19:29:00

Last updated 7 years ago

2017-09-28 18:47:00

Affected Software

Kohana Framework Kohana 3.2.3

3.2.3

Kohana Framework Kohana 3.3.1

3.3.1

References

http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html

Third Party Advisory, VDB Entry

20140512 CodeIgniter <= 2.1.4 and Kohana <= 3.2.3, 3.3.2 - Timing Attacks and Object Injection

Mailing List, Third Party Advisory

https://github.com/kohana/core/pull/492

Third Party Advisory

https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.