rvcw
asked on
PHP Code Injection
Hi,
There is an application I use, and an exploit for it was announced recently. The say they can:
I'm working on a web application myself and security is something I'm very concerned and careful about.
Can anyone enlighten me and tell me how exactly that exploit works and what can be implemented into that code that will prevent the mentioned exploit.
There is an application I use, and an exploit for it was announced recently. The say they can:
The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.
I'm working on a web application myself and security is something I'm very concerned and careful about.
Can anyone enlighten me and tell me how exactly that exploit works and what can be implemented into that code that will prevent the mentioned exploit.
What application are you talking about. There is nothing inherently wrong in the code posted here; the only issue would be the use of the $sortdata variable after this process.
See the explanations here:
http://php.net/manual/en/function.base64-decode.php
http://php.net/manual/en/function.unserialize.php
See the explanations here:
http://php.net/manual/en/function.base64-decode.php
http://php.net/manual/en/function.unserialize.php
There is a patch on the way so maybe your best policy is to chase them up and find out when the patch will be released.
http://security-geeks.blogspot.co.uk/2013/11/whmcs-5112-php-object-injectoin.html
http://blog.whmcs.com/?t=80206
http://security-geeks.blogspot.co.uk/2013/11/whmcs-5112-php-object-injectoin.html
http://blog.whmcs.com/?t=80206
Security Status Update
As you may be aware, a security issue has been published which affects all known versions of WHMCS.
We are currently aware of the issue and are working on a software update to prevent this attack vector from being successful.
We will be publishing software updates for the versions in Active Development and LTS per our Long Term Support Policy:
http://docs.whmcs.com/Long_Term_Support
Please keep watch on our blog, facebook and twitter to receive the latest updates.
Posted by Matt on Friday, October 18th, 2013
ASKER
I don't think I was very clear, allow me to clarify on what my question is.
@bportlock - my concern is not a patch for the application. I'm already well aware of its developments. I am not looking for a patch, I'm not looking for news regarding the exploit - I'm not concerned about the exploit whatsoever. I'm afraid your answer is irrelevant to my question.
@ray & duncan, many thanks for your helpful comments.
My question is what can be done to sanitise the cookie data.
To re-iterate, because I'm developing my own web application, I want to be aware of any security implications. With this exploit, I don't understand what can be done to sanitise the input to prevent PHP code injection as per the exploit announcement.
@bportlock - my concern is not a patch for the application. I'm already well aware of its developments. I am not looking for a patch, I'm not looking for news regarding the exploit - I'm not concerned about the exploit whatsoever. I'm afraid your answer is irrelevant to my question.
@ray & duncan, many thanks for your helpful comments.
My question is what can be done to sanitise the cookie data.
To re-iterate, because I'm developing my own web application, I want to be aware of any security implications. With this exploit, I don't understand what can be done to sanitise the input to prevent PHP code injection as per the exploit announcement.
Are you using WHMCS or not? Are you looking for a technique that will give you a cookie that is resistant to tampering? Please clarify, thanks. ~Ray
ASKER
Hi Ray,
I personally do not use the software. I just wanted to know how the exploit is working (which I think above you described).
And also, what can be done to protect against it.
For example, the person that posted the exploit said it wasn't sanitised. I want to know what sanitisation can be done. Not necessarily a cookie resistant to tampering, but as it stands what can be done to sanitise the cookie data.
For example, with MySQL, you would use prepared statements as a way of sanitising user input for mysql queries to prevent sql injection.
For XSS, you would strip out certain html entities etc.
For this, what would you need to do to sanitise the cookie data to prevent the "php code injection".
I personally do not use the software. I just wanted to know how the exploit is working (which I think above you described).
And also, what can be done to protect against it.
For example, the person that posted the exploit said it wasn't sanitised. I want to know what sanitisation can be done. Not necessarily a cookie resistant to tampering, but as it stands what can be done to sanitise the cookie data.
For example, with MySQL, you would use prepared statements as a way of sanitising user input for mysql queries to prevent sql injection.
For XSS, you would strip out certain html entities etc.
For this, what would you need to do to sanitise the cookie data to prevent the "php code injection".
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys, that's the info I was looking for. Much appreciated.
Probably $_COOKE["sortdata'"] is not set yet, and $sortdata="" so that you got the message
Could you check or echo it before executing unserialize ?