CodeIgniter session decoding vulnerability

Description

A vulnerability was discovered in the CodeIgniter session handling code. This issue was reported to EllisLab and a fixed version (2.2.0) was released on 5th June 2014, which removed the _xor_encode() method and required the use of Mcrypt.

Remediation

Upgrade to the latest version of CodeIgniter. This problem was fixed in CodeIgniter version 2.2.0.

References
Severity
Classification
Tags
  • Configuration