Simple Machines Forums - PHP Object Injection

[Scott Arciszewski <scott () paragonie com>]

I reported the following PHP Object Injection vulnerabilities to the SMF
development team on March 9, 2016:

https://github.com/SimpleMachines/SMF2.1/blob/404fd5347951652624dfb72304ee38fcab98378f/Sources/Packages.php#L863-L873

https://github.com/SimpleMachines/SMF2.1/blob/19ee85ff8761b792ea3e9ed630a947f45f93ee68/Sources/LogInOut.php#L125-L129

In the first case, you can achieve PHP Object Injection by sending
themechanges[]=serialized+object+here in the POST data of an HTTP request.

It looks like someone had attempted to find+replace all the obvious PHP
Object Injection issues (i.e. unserialize($_POST['foo'])) at some point,
but they didn't look for variables directly derived from user input.
(foreach ($_POST['foo'] as $bar)).

I've sent follow-up emails to the development team but was never notified
of any progress towards fixing it.

The first one appears to have been fixed in the release-2.1 branch, but the
other one still exists.

https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Packages.php#L872-L882
is fixed

https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/LogInOut.php#L125-L129
is unfixed

That's all from me.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>