PHP Object Injection

Author(s):
 * Egidio Romano

Last revision (mm/dd/yy): //

Vulnerabilities Table of Contents

Description
PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks. The vulnerability occurs when user-supplied input is not properly sanitized before being used in call to the unserialize PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize function resulting in an arbitrary PHP object(s) injection into the application scope.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied:


 * The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks.
 * That exploitable class must be declared when the vulnerable unserialize is being called, otherwise object autoloading must be supported for that class.

Risk Factors

 * The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
 * This vulnerability can make the application vulnerable to some kinds of attacks such as Path Traversal, SQL Injection or Code Injection.

Examples
Example 1

The example below shows a PHP class with an exploitable __destruct method: cache_file}"; if (file_exists($file)) @unlink($file); } }

// some PHP code...

$user_data = unserialize($_GET['data']);

// some PHP code...

?>

In this example an attacker might be able to delete an arbitrary file via a Path Traversal attack, for e.g. requesting the following URL: http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}

Example 2

The example below shows a PHP class with an exploitable __wakeup method: hook)) eval($this->hook); } }

// some PHP code...

$user_data = unserialize($_COOKIE['data']);

// some PHP code...

?>

In this example an attacker might be able to perform a Code Injection attack by sending an HTTP request like this:

GET /vuln.php HTTP/1.0 Host: testsite.com Cookie: data=O%3A8%3A%22Example2%22%3A1%3A%7Bs%3A14%3A%22%00Example2%00hook%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D Connection: close

Related Vulnerabilities

 * Category:Input Validation Vulnerability

Related Controls

 * Input Validation
 * Static Code Analysis

Prevention
Do not use unserialize function with user-supplied input, use JSON functions instead.