Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ilia Alshanetsky's Blog:
Another unserialize() abuse
Mar 23, 2006 @ 12:59:23

With yet another reason not to trust the users of your application (mainly the data they send you), Ilia Alshanetsky has details on an issue that could be caused by the unserialize() function in PHP.

While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting.

As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used.

He uses an example with PDO and a string of a serialized "supposed PDO object" to illustrate how, without the proper handling, it could lead to a fatal error in the script. The end result of the fatal error, if displaying errors is still on, could be that somewhat sensitive information could be displayed to the viewer.

tagged: unserialize abuse __wakeup fatal error display unserialize abuse __wakeup fatal error display

Link:

Ilia Alshanetsky's Blog:
Another unserialize() abuse
Mar 23, 2006 @ 12:59:23

With yet another reason not to trust the users of your application (mainly the data they send you), Ilia Alshanetsky has details on an issue that could be caused by the unserialize() function in PHP.

While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting.

As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used.

He uses an example with PDO and a string of a serialized "supposed PDO object" to illustrate how, without the proper handling, it could lead to a fatal error in the script. The end result of the fatal error, if displaying errors is still on, could be that somewhat sensitive information could be displayed to the viewer.

tagged: unserialize abuse __wakeup fatal error display unserialize abuse __wakeup fatal error display

Link:


Trending Topics: