php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72142 WDDX Packet Injection Vulnerability in wddx_serialize_value()
Submitted: 2016-05-03 12:14 UTC Modified: 2016-05-10 05:30 UTC
From: taoguangchen at icloud dot com Assigned:
Status: Closed Package: WDDX related
PHP Version: 5.6.21 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2016-05-03 12:14 UTC] taoguangchen at icloud dot com
Description:
------------
```
void php_wddx_packet_start(wddx_packet *packet, char *comment, int comment_len)
{
	php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
	if (comment) {
		php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
		php_wddx_add_chunk_ex(packet, comment, comment_len);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
		php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
...
PHP_FUNCTION(wddx_serialize_value)
{
...
	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z|s", &var, &comment, &comment_len) == FAILURE) {
		return;
	}
...
	php_wddx_packet_start(packet, comment, comment_len);
```

The wddx_serialize_value()'s second parameter `comment` is not filtered, that results in arbitrarily wddx packet injection vulnerability.

PoC:
```
<?php

$wddx = wddx_serialize_value('', '</comment></header><data><struct><var name="php_class_name"><string>stdClass</string></var></struct></data></wddxPacket>');
var_dump(wddx_deserialize($wddx));

?>
```

Fix:
```
void php_wddx_packet_start(wddx_packet *packet, char *comment, int comment_len)
{
	php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
	if (comment) {
+		size_t comment_esc_len;
+		char *comment_esc;
+		comment_esc = php_escape_html_entities(comment, comment_len, &comment_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
		php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
-		php_wddx_add_chunk_ex(packet, comment, comment_len);
+		php_wddx_add_chunk_ex(packet, comment_esc, comment_esc_len);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
		php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
		efree(comment_esc);
	} else {
```


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-10 05:30 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-05-10 05:30 UTC] stas@php.net
Doesn't look like security issue - you can just compose any string you like and call it "wddx serialized", so I don't see any vulnerability here.
 [2016-05-10 05:30 UTC] stas@php.net
-PHP Version: 5.5.35 +PHP Version: 5.6.21
 [2016-07-30 13:55 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e87ac688d5e700fdb56b37fda8b011d6b05b97fc
Log: Fixed bug #72142
 [2016-07-30 13:55 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2016-10-17 10:10 UTC] bwoebi@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e87ac688d5e700fdb56b37fda8b011d6b05b97fc
Log: Fixed bug #72142
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC