PHP Code Injection

Hi,

There is an application I use, and an exploit for it was announced recently. The say they can:

The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711

   $sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
   $sortdata = unserialize( base64_decode( $sortdata ) );
   
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.


I'm working on a web application myself and security is something I'm very concerned and careful about.

Can anyone enlighten me and tell me how exactly that exploit works and what can be implemented into that code that will prevent the mentioned exploit.
rvcwAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

duncanb7Commented:
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
   $sortdata = unserialize( base64_decode( $sortdata ) );

Probably $_COOKE["sortdata'"] is not set yet, and $sortdata="" so that you got the message

Could you check or echo it before executing unserialize  ?
Ray PaseurCommented:
What application are you talking about.  There is nothing inherently wrong in the code posted here; the only issue would be the use of the $sortdata variable after this process.

See the explanations here:
http://php.net/manual/en/function.base64-decode.php
http://php.net/manual/en/function.unserialize.php
Beverley PortlockCommented:
There is a patch on the way so maybe your best policy is to chase them up and find out when the patch will be released.

http://security-geeks.blogspot.co.uk/2013/11/whmcs-5112-php-object-injectoin.html

http://blog.whmcs.com/?t=80206


Security Status Update


As you may be aware, a security issue has been published which affects all known versions of WHMCS.

We are currently aware of the issue and are working on a software update to prevent this attack vector from being successful.

We will be publishing software updates for the versions in Active Development and LTS per our Long Term Support Policy:

http://docs.whmcs.com/Long_Term_Support

Please keep watch on our blog, facebook and twitter to receive the latest updates.


Posted by Matt on Friday, October 18th, 2013
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

rvcwAuthor Commented:
I don't think I was very clear, allow me to clarify on what my question is.

@bportlock - my concern is not a patch for the application. I'm already well aware of its developments. I am not looking for a patch, I'm not looking for news regarding the exploit - I'm not concerned about the exploit whatsoever. I'm afraid your answer is irrelevant to my question.

@ray & duncan, many thanks for your helpful comments.

My question is what can be done to sanitise the cookie data.

To re-iterate, because I'm developing my own web application, I want to be aware of any security implications. With this exploit, I don't understand what can be done to sanitise the input to prevent PHP code injection as per the exploit announcement.
Ray PaseurCommented:
Are you using WHMCS or not?  Are you looking for a technique that will give you a cookie that is resistant to tampering?  Please clarify, thanks. ~Ray
rvcwAuthor Commented:
Hi Ray,

I personally do not use the software. I just wanted to know how the exploit is working (which I think above you described).

And also, what can be done to protect against it.

For example, the person that posted the exploit said it wasn't sanitised. I want to know what sanitisation can be done. Not necessarily a cookie resistant to tampering, but as it stands what can be done to sanitise the cookie data.

For example, with MySQL, you would use prepared statements as a way of sanitising user input for mysql queries to prevent sql injection.

For XSS, you would strip out certain html entities etc.

For this, what would you need to do to sanitise the cookie data to prevent the "php code injection".
Beverley PortlockCommented:
The same sanitisation rules apply to cookies as to any other form of data from an external source. Partly it depends what you want to do with the data.

For instance, if the data should contain no HTML then running it through strip_tags is a good idea. If it is allowed HTML, but only a subset is allowed the strip_tags with the allowable_tags parameter could be used.

If full HTML is allowed then using mysql_real_escape_string or htmlentities could be used to clean the data to stop quote injection affecting the database. As you can see the problem here is that the use of the data can affect the sanitisation method.

Personally, I would encrypt the cookie data using blowfish via the PHP mcrypt algorithm and store the encrypted data in the cookie. That would prevent tampering with the data and allow it to be trusted.

http://www.php.net/strip_tags
http://www.php.net/mysql_real_escape_string
http://www.php.net/htmlentities
Ray PaseurCommented:
HTTP Cookies are like any other external data.  By definition, external data is tainted and should be considered an attack vector.

PHP has filtering functions.  This might be useful.
http://php.net/manual/en/book.filter.php

Personally, I use a technique like this and discard the cookie if it does not decode correctly.

<?php // RAY_cookie_safety.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO ENCODE INFORMATION IN A COOKIE
// TO REDUCE THE RISK OF COOKIE TAMPERING


// A DATA DELIMITER
$dlm = '|';

// YOUR OWN SECRET CODE
$secret_code = 'MY SECRET';

// A DATA STRING THAT WE WANT TO STORE (MIGHT BE A DB KEY)
$cookie_value = 'MARY HAD A LITTLE LAMB';

// ENCODE THE DATA STRING TOGETHER WITH OUR SECRET
$cookie_code = md5($cookie_value . $secret_code);

// CONSTRUCT THE COOKIE STRING WITH THE CLEAR TEXT AND THE CODED STRING
$safe_cookie_value = $cookie_value . $dlm . $cookie_code;

// SET THE COOKIE LIKE "MARY HAD A LITTLE LAMB|cf783c37f18d007d23483b11759ec181"
setcookie('safe_cookie', $safe_cookie_value);



// WHEN STORED, THE COOKIE WILL BE URL-ENCODED SO IT WILL LOOK SOMETHING LIKE THIS ON THE BROWSER
// MARY+HAD+A+LITTLE+LAMB%7Ccf783c37f18d007d23483b11759ec181
// IT WILL BE URL-DECODED BEFORE IT IS PRESENTED TO PHP



// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH YOUR SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}
else
{
    die('COOKIE IS SET - REFRESH THE BROWSER WINDOW NOW');
}




// MUNG THE COOKIE TO DEMONSTRATE WHAT HAPPENS WITH A CORRUPT COOKIE
$_COOKIE["safe_cookie"] = str_replace('MARY', 'FRED', $_COOKIE["safe_cookie"]);

// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo"<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}

Open in new window

Best regards, ~Ray

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rvcwAuthor Commented:
Thanks guys, that's the info I was looking for. Much appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.