This vulnerability may cause OS commands to be executed when you pass unvalidated image filenames containing specially crafted strings to the ImageMagick driver.
All released versions starting with 1.1 are affected. The issue will be addressed in hotfix v220.127.116.11. You can modify ealier versions by implementing the changes from this change.
The default composer.json file installs Monolog v1.5, which contains known vulnerabilities. Monolog will be upgraded to v1.18 in the next release. You can do this yourself now by manually changing your composer.json, and run "composer update".
Using a special crafted cURL request it is under strict conditions possible to access arbitrary files the webserver has access to. This requires you to use file-based sessions, a specific directory to exist on your server, and session payload encryption to be switched off.
All released versions starting with 1.0 are affected. Given the severity, this will been addressed in next release. You can modify current and earlier versions by applying this change.
When executing a cURL request using the Request_Curl class with an unvalidated URL provided by user input, or a request to a malicious or a legitimate but hacked website, a specially crafted response can lead to auto-execution of malicious code, due to the way the auto formatting mechanism works.
All released versions starting with 1.1 are affected. This will been addressed in the 1.7.2 codebase, where the default will be changed to not automatically format the response. This can be modified in earlier versions by applying this change.
Since this will disable auto-format, you have to scan your code for instances of Request_Curl, and either use set_format(true) to re-enable auto-formatting on a per instance basis (only do this if you are absolutely sure you can trust the source of the response), or add additional code after the execute() call to validate the contents of the response body, and convert it to the correct format manually only after succesful validation.
When none of the default methods of determining the request URI have succeeded, the framework will fallback to parsing the raw request URI as passed by the webserver. If this URI has a query string, it will be parsed and $_GET will be updated. In this process, the $_GET variables are not cleaned, making it possible to inject malicious data.
All released versions are affected. This will been addressed in the 1.7.1 codebase, and can be fixed in earlier versions by applying this change
All released versions are affected. XSS cleaning in FuelPHP is done by the external library htmlLawed. We have been in contact with the author, who has fixed this in release v1.1.16. This release is included in the 1.7 codebasse. You can upgrade manually by replacing "./fuel/core/vendor/htmlawed/htmlawed.php" (note the lowercase!)
The method "quote_identifier()" which is used in the DB class to make sure identifiers are quoted can be vulnerable for injection if uncleaned GET variables are passed to it, due to the way preg_replace() has been used with the "/e" modifier.
All released versions are affected. This has been addressed in the 1.7 codebase, and can be fixed in earlier versions by applying this change.