Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Jun 2016 13:56:14 -0400
From: Scott Arciszewski <>
Subject: Simple Machines Forums - PHP Object Injection

I reported the following PHP Object Injection vulnerabilities to the SMF
development team on March 9, 2016:

In the first case, you can achieve PHP Object Injection by sending
themechanges[]=serialized+object+here in the POST data of an HTTP request.

It looks like someone had attempted to find+replace all the obvious PHP
Object Injection issues (i.e. unserialize($_POST['foo'])) at some point,
but they didn't look for variables directly derived from user input.
(foreach ($_POST['foo'] as $bar)).

I've sent follow-up emails to the development team but was never notified
of any progress towards fixing it.

The first one appears to have been fixed in the release-2.1 branch, but the
other one still exists.
is fixed
is unfixed

That's all from me.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ