Date: Fri, 10 Jun 2016 13:56:14 -0400 From: Scott Arciszewski <scott@...agonie.com> To: oss-security@...ts.openwall.com Subject: Simple Machines Forums - PHP Object Injection I reported the following PHP Object Injection vulnerabilities to the SMF development team on March 9, 2016: https://github.com/SimpleMachines/SMF2.1/blob/404fd5347951652624dfb72304ee38fcab98378f/Sources/Packages.php#L863-L873 https://github.com/SimpleMachines/SMF2.1/blob/19ee85ff8761b792ea3e9ed630a947f45f93ee68/Sources/LogInOut.php#L125-L129 In the first case, you can achieve PHP Object Injection by sending themechanges=serialized+object+here in the POST data of an HTTP request. It looks like someone had attempted to find+replace all the obvious PHP Object Injection issues (i.e. unserialize($_POST['foo'])) at some point, but they didn't look for variables directly derived from user input. (foreach ($_POST['foo'] as $bar)). I've sent follow-up emails to the development team but was never notified of any progress towards fixing it. The first one appears to have been fixed in the release-2.1 branch, but the other one still exists. https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Packages.php#L872-L882 is fixed https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/LogInOut.php#L125-L129 is unfixed That's all from me. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ