This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "PHP Object Injection"
(Created page with "{{Template:Vulnerability}} Author(s): *Egidio Romano Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' [[ASDR_TOC_V...") |
m |
||
Line 11: | Line 11: | ||
PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks. | PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks. | ||
− | The vulnerability occurs when user-supplied input is not properly sanitized before being used in call to the unserialize() PHP function. Since PHP allows | + | The vulnerability occurs when user-supplied input is not properly sanitized before being used in call to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() function resulting in an arbitrary PHP object(s) injection into the application scope. |
In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied: | In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied: | ||
* The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks. | * The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks. | ||
− | * That exploitable class must be declared when unserialize() is being called, otherwise object autoloading must be supported. | + | * That exploitable class must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for that class. |
==Risk Factors== | ==Risk Factors== | ||
Line 48: | Line 48: | ||
$user_data = unserialize($_GET['data']); | $user_data = unserialize($_GET['data']); | ||
+ | |||
+ | // some PHP code... | ||
?> | ?> |
Revision as of 03:19, 6 December 2012
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Author(s):
Last revision (mm/dd/yy): 12/6/2012
Vulnerabilities Table of Contents
Description
PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks. The vulnerability occurs when user-supplied input is not properly sanitized before being used in call to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() function resulting in an arbitrary PHP object(s) injection into the application scope.
In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied:
- The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks.
- That exploitable class must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for that class.
Risk Factors
- The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
- This vulnerability can make the website vulnerable to some other types of attacks such as Path Traversal, SQL Injection or Code Injection.
Examples
The example below shows a PHP class with an exploitable __destruct method:
<?php class VulnCache { public $cache_file; public $cache_data; function __construct() { // some PHP code... } function __destruct() { file_put_contents($this->cache_file, $this->cache_data); } } // some PHP code... $user_data = unserialize($_GET['data']); // some PHP code... ?>
In this example an attacker might be able to create a new PHP file with arbitrary code, requesting the following URL:
http://site/vuln.php?data=O:9:"VulnCache":2:{s:10:"cache_file";s:8:"test.php";s:10:"cache_data";s:21:"<?php+evil_code();+?>";}
Related Vulnerabilities
Related Controls
Prevention
Do not use unserialize() function with user-supplied input, use JSON functions instead.
References
- PHP: unserialize. http://php.net/manual/en/function.unserialize.php
- PHP: Magic Methods. http://php.net/manual/en/language.oop5.magic.php
- PHP: Autoloading Classes. http://php.net/manual/en/language.oop5.autoload.php
- Shocking news in PHP exploitation. http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf