Authorized PHP Object Injection #297

Xyntax · 2017-01-17T13:20:39Z

https://github.com/intelliants/subrion/blob/develop/includes/classes/ia.core.users.php#L709

if (isset($_COOKIE['salt']) && $_COOKIE['salt'])
		{
			$s = unserialize($_COOKIE['salt']);
			if (isset($s['salt']) && isset($s['items']) && $s['salt'] && $s['items'])
			{
				$salt = $s;
			}
		}

When unserialize() is used on user supplied data it often leads to PHP Object Injection.

Attacker may generate a string of serialized object and parse it to server backend via $_COOKIE['salt'] by submitting a login request. Then func unserialize() will trigger __wakeup() and __destruct() method in serialized obj, resulting in code execution.

Please check other places where the function unserialize() is used.

The text was updated successfully, but these errors were encountered:

ghost · 2017-01-17T17:50:25Z

@Xyntax, thanks for pointing out! Shifted to json format.

ghost self-assigned this Jan 17, 2017

ghost added the critical label Jan 17, 2017

ghost pushed a commit that referenced this issue Jan 17, 2017

#297

f626333

ghost closed this as completed Jan 17, 2017

vbezruchkin modified the milestone: 4.1.0 Jan 23, 2017

vbezruchkin pushed a commit that referenced this issue Feb 20, 2017

#297

019dee2

This issue was closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authorized PHP Object Injection #297

Authorized PHP Object Injection #297

Xyntax commented Jan 17, 2017

ghost commented Jan 17, 2017

Authorized PHP Object Injection #297

Authorized PHP Object Injection #297

Comments

Xyntax commented Jan 17, 2017

ghost commented Jan 17, 2017