Vulnerability in Kohana?

Yesterday, our portal, written in Kohana, was successfully attacked. The idea that it is necessary to sin on a respected framework, security in which is far from the last place, was not even discussed at first. The program that scanned our site took about 95 thousand requests and 5 hours to find this vulnerability. Take a close look at these two functions from the Kohans core version 3.2:

public function redirect($url = '', $code = 302) { $referrer = $this->uri(); $protocol = ($this->secure()) ? 'https' : TRUE; if (strpos($referrer, '://') === FALSE) { $referrer = URL::site($referrer, $protocol, ! empty(Kohana::$index_file)); } if (strpos($url, '://') === FALSE) { // Make the URI into a URL $url = URL::site($url, TRUE, ! empty(Kohana::$index_file)); } if (($response = $this->response()) === NULL) { $response = $this->create_response(); } echo $response->status($code) ->headers('Location', $url) ->headers('Referer', $referrer) ->send_headers() ->body(); // Stop execution exit; } 

 public static function site($uri = '', $protocol = NULL, $index = TRUE) { // Chop off possible scheme, host, port, user and pass parts $path = preg_replace('~^[-a-z0-9+.]++://[^/]++/?~', '', trim($uri, '/')); if ( ! UTF8::is_ascii($path)) { // Encode all non-ASCII characters, as per RFC 1738 $path = preg_replace('~([^/]+)~e', 'rawurlencode("$1")', $path); } // Concat the URL return URL::base($protocol, $index).$path; } 

As you can see, when using the redirect function in a request, the URL :: site function is used in the current uri, which uses preg_replace with the execution modifier “e”: rawurlencode is applied to each segment of the URL, and the segment is transmitted in double quotes, which allows something like ($ {@ phpinfo ()}), and it will work. Thus, if we redirect to http: // site / path / param1, then by adding an expression like ($ {@ phpinfo ()}) to param1, you can execute some code. The main thing is that param1 also contains non-ascii characters, for example, Russian letters . In our case, after the vulnerability was found by a bot, a man took up the task, and after some time, with simple manipulations, he was able to flood the shell through this hole. An invaluable help in this has had such a moment. Kokhan's exception handler has this piece:

 public static function handler(Exception $e) { // ..... // if (Request::$current !== NULL AND Request::current()->is_ajax() === TRUE) { // Just display the text of the exception echo "\n{$error}\n"; exit(1); } // ..... // } 

The request has an X-Requested-With header equal to XMLHttpRequest? Keep an error message! The tracker Kohana already unsubscribed.