Join GitHub today
PyroCMS Static Private Key Lead to Object Injection Vuln. #3276
Of course I always contact with developers If vulnerability cause to the very serious things. But in PyroCMS case you can not bypass user authorization system via session array manipulation because of PyroCMS checks out permission from database instead of session. Also there is no way to magic method manipulation of classes because non one them does not use any __destruct or __wakeup method in dangerous way. I opened that ticket in order to block future attack vectors. So I don't need to say excuse, sir.
I took down blog post anyway.You've your 48 hours or much you need. I've just trying to contribute your open source app. If you need to reach blog post in patch process email to me : email@example.com
Thank you Mehmet.
I have a fix in 2.2.4 and am merging into 2.3/develop now, I’ll ping you when you can put the blog post back.
While there may not be any attack vectors right now, putting that out there is going to get people thinking about how they could attack it. Posting a blog article about it instead of just contacting us is generally considered bad practice, but I am very grateful for your cooperation. :)