php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75044 Object Injection in PHP's WDDX Serialization
Submitted: 2017-08-07 10:20 UTC Modified: 2017-08-13 19:40 UTC
From: taoguangchen at icloud dot com Assigned:
Status: Open Package: WDDX related
PHP Version: 5.6.31 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-08-07 10:20 UTC] taoguangchen at icloud dot com
Description:
------------
PoC 1:
```
class ryat {
	var $hi;
	function __wakeup() {
		echo 'hi';
	}
	function __destruct() {
		echo $this->hi;
	}
}

$array = ['php_class_name'=>'ryat', 'hi'=>'ryat'];
wddx_deserialize(wddx_serialize_value($array));
```
PoC 2:
```
ini_set('session.serialize_handler', 'wddx');
session_start();

$array = ['php_class_name'=>'ryat', 'hi'=>'ryat'];
$_SESSION['ryat'] = $array;
session_decode(session_encode());

class ryat {
	var $hi;
	function __wakeup() {
		echo 'hi';
	}
	function __destruct() {
		echo $this->hi;
	}
}
```

Fix:
```
static void php_wddx_serialize_array(wddx_packet *packet, zval *arr)
{
...
		if (is_struct) {
			ent_type = zend_hash_get_current_key_ex(target_hash, &key, &key_len, &idx, 0, NULL);

			if (ent_type == HASH_KEY_IS_STRING) {
+				if (!strcmp(key, PHP_CLASS_NAME_VAR)) {
+					continue;
+				}
				php_wddx_serialize_var(packet, *ent, key, key_len TSRMLS_CC);
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-07 19:50 UTC] stas@php.net
The proposed fix doesn't seem to fix anything in fact, as it's changing serialization, not unserialization, but the question is should we consider this an issue? I.e. if wddx supports live php objects, it would be basically in the same class as unserialize, with same (none) security guarantees as it seems.
 [2017-08-13 19:40 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2017-08-13 19:40 UTC] cmb@php.net
> it would be basically in the same class as unserialize, with
> same (none) security guarantees as it seems.

Indeed, it is; see <http://news.php.net/php.internals/100183> and
<http://svn.php.net/viewvc?view=revision&revision=342852>.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC