CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that users authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files.
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Shield | Codeigniter | 1.0.0-beta (including) | 1.0.0-beta (including) |
Shield | Codeigniter | 1.0.0-beta2 (including) | 1.0.0-beta2 (including) |
Shield | Codeigniter | 1.0.0-beta3 (including) | 1.0.0-beta3 (including) |
Shield | Codeigniter | 1.0.0-beta4 (including) | 1.0.0-beta4 (including) |
Shield | Codeigniter | 1.0.0-beta5 (including) | 1.0.0-beta5 (including) |
Shield | Codeigniter | 1.0.0-beta6 (including) | 1.0.0-beta6 (including) |
Shield | Codeigniter | 1.0.0-beta7 (including) | 1.0.0-beta7 (including) |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: