Print

Print


This does not appear to be the case. To the best of my knowledge, PHP's
serialization behaves much like Java's. If you serialize an object, the
data gets serialized, not the code. In fact, if you unserialize an
object without a matching class in the namespace, the resulting instance
in PHP is the class __PHP_Incomplete_Class Object. The __wake() method
that is called on unserialization is not defined in the serialized data,
but rather in the class definition in the code itself. If one can really
inject executable code into a serialized PHP object that easily, then
PHP itself has a big problem. However, I do not believe that the
serialization routines are designed to permit this. If they are, I'd
like to see an example of the exploit.

My attempt to write an exploit of the type you describe fails. Here is
the code:

Malicious.class.php:

<?php

class Malicious {
        public $data = 'default';

        public function __wakeup() {
                header('Content-type: text/plain');
                echo "Hello world, I'm Evil!\n";
                exit;
        }
}

---

out.php

<?php
require_once('Malicious.class.php');

$output = new Malicious();

$output->data = 'changed';

header('Content-type: text/plain');
echo serialize($output);


Outputs:
O:9:"Malicious":1:{s:4:"data";s:7:"changed";}

---

in_withmalice.php

<?php
require_once('Malicious.class.php');

$output =
unserialize(file_get_contents('http://localhost/pstest/out.php'));

header('Content-type: text/plain');
print_r($output);


Outputs:
Hello world, I'm Evil!

---

in_withoutmalice.php
<?php
$output =
unserialize(file_get_contents('http://localhost/pstest/out.php'));

header('Content-type: text/plain');
print_r($output);


Outputs:
__PHP_Incomplete_Class Object
(
    [__PHP_Incomplete_Class_Name] => Malicious
    [data] => changed
)



Now I agree with your basic intuition. Any data that gets passed to an
application from an external source should never be completely trusted,
whether it's a Web service, a form, or something else. Still, I doubt
that consuming PHP serializations is fundamentally unsafe.

- David

---
David Cloutman <[log in to unmask]>
Electronic Services Librarian
Marin County Free Library 

-----Original Message-----
From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of
Tim Spalding
Sent: Tuesday, December 30, 2008 11:05 AM
To: [log in to unmask]
Subject: Re: [CODE4LIB] Mime type for PHP serialized objects


Don't you think that's rather dangerous? PHP serialization can include
objects, and it calls wakeup() on the object if that exists after
unserialization. In theory that could do almost anything, right?

Tim

On Tue, Dec 30, 2008 at 1:55 PM, Cloutman, David
<[log in to unmask]> wrote:
> I have a quick question for any PHP developers out there.
>
> I am writing a SOA application to manage my library's events calendar.
> The basic idea is to create a public API that our web site or other
> community organizations can use to query and consume information. I am
> using JSON as the default output for information, but would like to
add
> the option of outputting native serialized PHP data structures as
> created by the serialized() function.
>
> My question is, what mime type should I use for serialized PHP data?
The
> best suggestion I saw through Google was
application/vnd.php.serialized,
> which was posted as a proposal. I don't know if any standard was
adopted
> though. Has anyone else thought about this issue?
>
> - David
>
>
>
> ---
> David Cloutman <[log in to unmask]>
> Electronic Services Librarian
> Marin County Free Library
>
> Email Disclaimer:
http://www.co.marin.ca.us/nav/misc/EmailDisclaimer.cfm
>



-- 
Check out my library at http://www.librarything.com/profile/timspalding