Skip to content
Permalink
Browse files Browse the repository at this point in the history
Addressing TLM vulnerability
A certain special escape sequence causes dynamic code callers to
execute arbitrary code.

    ?q=%5C%27%29;phpinfo%28%29;/*
  • Loading branch information
andyvanee committed Apr 22, 2015
1 parent 510127d commit fba7d89
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions app/controllers/code_caller_controller.php
Expand Up @@ -86,14 +86,18 @@ function getContent($params, $dynamic) {
function dynamicPHP(&$obj, $method, $include_file, $params=array()) {
$ret = '';
if (is_object($obj) && method_exists($obj, $method)) {
$ret .= "<?php\n" .
'include_once \'' . $include_file . '\';' . "\n" .
'$obj = unserialize(\'' . str_replace('\'', '\\\'', serialize($obj)) . '\');' . "\n" .
'$params = unserialize(\'' . str_replace('\'', '\\\'', serialize($params)) . '\');' . "\n" .
'print $obj->' . $method . '($params);' . "\n" .
"?>\n";
$ret .= '<?php include_once \'' . $include_file . '\';';
$ret .= '$obj = ' . $this->wrapSanitizedSerializer($obj) . ';';
$ret .= '$params = ' . $this->wrapSanitizedSerializer($param) . ';';
$ret .= 'print $obj->' . $method . '($params);';
$ret .= '?>';
}
return $ret;
}

private function wrapSanitizedSerializer($obj) {
$encoded_serialized_string = base64_encode(serialize($obj));
return "unserialize(base64_decode('$encoded_serialized_string'))";
}
}
?>

0 comments on commit fba7d89

Please sign in to comment.