Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorized PHP Object Injection #297

Closed
Xyntax opened this issue Jan 17, 2017 · 1 comment

Comments

Projects
None yet
3 participants
@Xyntax
Copy link

commented Jan 17, 2017

https://github.com/intelliants/subrion/blob/develop/includes/classes/ia.core.users.php#L709

if (isset($_COOKIE['salt']) && $_COOKIE['salt'])
		{
			$s = unserialize($_COOKIE['salt']);
			if (isset($s['salt']) && isset($s['items']) && $s['salt'] && $s['items'])
			{
				$salt = $s;
			}
		}

When unserialize() is used on user supplied data it often leads to PHP Object Injection.

Attacker may generate a string of serialized object and parse it to server backend via $_COOKIE['salt'] by submitting a login request. Then func unserialize() will trigger __wakeup() and __destruct() method in serialized obj, resulting in code execution.

Please check other places where the function unserialize() is used.

@Batry Batry self-assigned this Jan 17, 2017

@Batry Batry added the critical label Jan 17, 2017

Batry added a commit that referenced this issue Jan 17, 2017

@Batry

This comment has been minimized.

Copy link
Member

commented Jan 17, 2017

@Xyntax, thanks for pointing out! Shifted to json format.

@Batry Batry closed this Jan 17, 2017

@vbezruchkin vbezruchkin modified the milestone: 4.1.0 Jan 23, 2017

vbezruchkin added a commit that referenced this issue Feb 20, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.