oss-sec mailing list archives
Simple Machines Forums - PHP Object Injection
From: Scott Arciszewski <scott () paragonie com>
Date: Fri, 10 Jun 2016 13:56:14 -0400
I reported the following PHP Object Injection vulnerabilities to the SMF development team on March 9, 2016: https://github.com/SimpleMachines/SMF2.1/blob/404fd5347951652624dfb72304ee38fcab98378f/Sources/Packages.php#L863-L873 https://github.com/SimpleMachines/SMF2.1/blob/19ee85ff8761b792ea3e9ed630a947f45f93ee68/Sources/LogInOut.php#L125-L129 In the first case, you can achieve PHP Object Injection by sending themechanges[]=serialized+object+here in the POST data of an HTTP request. It looks like someone had attempted to find+replace all the obvious PHP Object Injection issues (i.e. unserialize($_POST['foo'])) at some point, but they didn't look for variables directly derived from user input. (foreach ($_POST['foo'] as $bar)). I've sent follow-up emails to the development team but was never notified of any progress towards fixing it. The first one appears to have been fixed in the release-2.1 branch, but the other one still exists. https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Packages.php#L872-L882 is fixed https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/LogInOut.php#L125-L129 is unfixed That's all from me. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com>
Current thread:
- Simple Machines Forums - PHP Object Injection Scott Arciszewski (Jun 10)
- Re: Simple Machines Forums - PHP Object Injection cve-assign (Jun 18)