Sven Morgenroth, a security researcher at Netsparker, was interviewed by Paul Asadoorian and Larry Pesce for Paul's Security Weekly #584. Sven talked about PHP Object injection vulnerabilities and explained the dangers of PHP's unserialize function. Sven's talk was divided into three sections: some background, a technical demo and a final focus on vulnerabilities
- To begin with, Sven asked and answered some basic questions. What are PHP objects and how are they are created? What does the corresponding object look like? How are they stored? What are objects used for? Sven looked at the common operations of PHP objects, as well as their 'magic methods' – class methods that allow the execution of certain functions based on how objects are used.
- During his demo, Sven showed the format of serialized PHP Objects, explained PHP's magic methods, and walked us through how to write an exploit for a PHP Object Injection vulnerability.
- Sven pointed out that their vulnerability issues lie with both the properties and the magic methods. This kind of vulnerability is not unique to PHP. Python, Ruby and Java share similar problems. In some respects, the vulnerability in these languages is worse than PHP; in other aspects PHP is worse. Sven concluded with the vital question of what you can do to prevent these vulnerabilities:
- Don't pass user controlled input to unserialize
- Often you can use json_encode or json_decode
- If you need to store it somewhere where a user could change it, like in a form field, use an HMAC
For those who want more information about PHP Object injection, read Sven's other blog post, Why You Should Never Pass Untrusted Data to Unserialize When Writing PHP Code.