This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

PHP Object Injection

From OWASP
Revision as of 23:48, 4 December 2012 by Egidio Romano (talk | contribs) (Created page with "{{Template:Vulnerability}} Author(s): *Egidio Romano Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' [[ASDR_TOC_V...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Author(s):

Last revision (mm/dd/yy): 12/4/2012

Vulnerabilities Table of Contents

Description

PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks. The vulnerability occurs when user-supplied input is not properly sanitized before being used in call to the unserialize() PHP function. Since PHP allows objects serialization, attackers could pass ad-hoc serialized strings to the unserialize() function, resulting in an arbitrary PHP objects injection into the application scope.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied:

  • The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks.
  • That exploitable class must be declared when unserialize() is being called, otherwise object autoloading must be supported.

Risk Factors

  • The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
  • This vulnerability can make the website vulnerable to some other types of attacks such as Path Traversal, SQL Injection or Code Injection.

Examples

The example below shows a PHP class with an exploitable __destruct method: 

<?php

class VulnCache
{
   public $cache_file;
   public $cache_data;

   function __construct()
   {
      // some PHP code...
   }

   function __destruct()
   {
      file_put_contents($this->cache_file, $this->cache_data);
   }
}

// some PHP code...

$user_data = unserialize($_GET['data']);

?>

In this example an attacker might be able to create a new PHP file with arbitrary code, requesting the following URL: 

http://site/vuln.php?data=O:9:"VulnCache":2:{s:10:"cache_file";s:8:"test.php";s:10:"cache_data";s:21:"<?php+evil_code();+?>";}

Related Vulnerabilities

Related Controls

Prevention

Do not use unserialize() function with user-supplied input, use JSON functions instead.

References

Retrieved from "https://wiki.owasp.org/index.php?title=PHP_Object_Injection&oldid=140713"