PHP :: Bug #72142 :: WDDX Packet Injection Vulnerability in wddx_serialize

Bug #72142	WDDX Packet Injection Vulnerability in wddx_serialize_value()
Submitted:	2016-05-03 12:14 UTC	Modified:	2016-05-10 05:30 UTC
From:	taoguangchen at icloud dot com	Assigned:
Status:	Closed	Package:	WDDX related
PHP Version:	5.6.21	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	taoguangchen at icloud dot com
New email:
PHP Version:		OS:

New Comment:

[2016-05-03 12:14 UTC] taoguangchen at icloud dot com

Description:
------------
```
void php_wddx_packet_start(wddx_packet *packet, char *comment, int comment_len)
{
	php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
	if (comment) {
		php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
		php_wddx_add_chunk_ex(packet, comment, comment_len);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
		php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
...
PHP_FUNCTION(wddx_serialize_value)
{
...
	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z|s", &var, &comment, &comment_len) == FAILURE) {
		return;
	}
...
	php_wddx_packet_start(packet, comment, comment_len);
```

The wddx_serialize_value()'s second parameter `comment` is not filtered, that results in arbitrarily wddx packet injection vulnerability.

PoC:
```
<?php

$wddx = wddx_serialize_value('', '</comment></header><data><struct><var name="php_class_name"><string>stdClass</string></var></struct></data></wddxPacket>');
var_dump(wddx_deserialize($wddx));

?>
```

Fix:
```
void php_wddx_packet_start(wddx_packet *packet, char *comment, int comment_len)
{
	php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
	if (comment) {
+		size_t comment_esc_len;
+		char *comment_esc;
+		comment_esc = php_escape_html_entities(comment, comment_len, &comment_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
		php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
-		php_wddx_add_chunk_ex(packet, comment, comment_len);
+		php_wddx_add_chunk_ex(packet, comment_esc, comment_esc_len);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
		php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
		efree(comment_esc);
	} else {
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-05-10 05:30 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-05-10 05:30 UTC] stas@php.net

Doesn't look like security issue - you can just compose any string you like and call it "wddx serialized", so I don't see any vulnerability here.

[2016-05-10 05:30 UTC] stas@php.net

-PHP Version: 5.5.35 +PHP Version: 5.6.21

[2016-07-30 13:55 UTC] nikic@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e87ac688d5e700fdb56b37fda8b011d6b05b97fc
Log: Fixed bug #72142

[2016-07-30 13:55 UTC] nikic@php.net

-Status: Open +Status: Closed

[2016-10-17 10:10 UTC] bwoebi@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e87ac688d5e700fdb56b37fda8b011d6b05b97fc
Log: Fixed bug #72142

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC