Summary
This commit added direct object deserialisation, by using native unserialize() function, that may lead to RCE vulnerability.
This is more like introducing a critical vulnerability into the code, because, before this, the custom _safe_deserialization function could not deserialize objects at all.
Details
_safe_deserialization function is used for custom deserialization of the cookie's value. Before the mentioned commit, [_safe_deserialization function could not deserialize objects at all].(
|
// Object or unknown/malformed type. |
). With that change, perpetrator can call native unserialize() function and, in certain circumstances, execute arbitrary PHP code on the server.
PoC
None
Impact
Using php's unserialize() by user-controlled input may lead to RCE vulnerability. It is strongly recommended not to use unserialize() functions for user-controlled strings. At least, allowed_classes option with empty array as a value should be added for the allowed class names.
Yarre Reporter
Summary
This commit added direct object deserialisation, by using native unserialize() function, that may lead to RCE vulnerability.
This is more like introducing a critical vulnerability into the code, because, before this, the custom _safe_deserialization function could not deserialize objects at all.
Details
_safe_deserializationfunction is used for custom deserialization of the cookie's value. Before the mentioned commit, [_safe_deserialization function could not deserialize objects at all].(SMF/Sources/Subs.php
Line 6679 in 964be63
PoC
None
Impact
Using php's unserialize() by user-controlled input may lead to RCE vulnerability. It is strongly recommended not to use unserialize() functions for user-controlled strings. At least, allowed_classes option with empty array as a value should be added for the allowed class names.