We help IT Professionals succeed at work.

PHP Code Injection

rvcw asked
Last Modified: 2013-11-03

There is an application I use, and an exploit for it was announced recently. The say they can:

The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711

   $sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
   $sortdata = unserialize( base64_decode( $sortdata ) );
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.

I'm working on a web application myself and security is something I'm very concerned and careful about.

Can anyone enlighten me and tell me how exactly that exploit works and what can be implemented into that code that will prevent the mentioned exploit.
Watch Question

$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
   $sortdata = unserialize( base64_decode( $sortdata ) );

Probably $_COOKE["sortdata'"] is not set yet, and $sortdata="" so that you got the message

Could you check or echo it before executing unserialize  ?
Most Valuable Expert 2011
Author of the Year 2014

What application are you talking about.  There is nothing inherently wrong in the code posted here; the only issue would be the use of the $sortdata variable after this process.

See the explanations here:

There is a patch on the way so maybe your best policy is to chase them up and find out when the patch will be released.



Security Status Update

As you may be aware, a security issue has been published which affects all known versions of WHMCS.

We are currently aware of the issue and are working on a software update to prevent this attack vector from being successful.

We will be publishing software updates for the versions in Active Development and LTS per our Long Term Support Policy:


Please keep watch on our blog, facebook and twitter to receive the latest updates.

Posted by Matt on Friday, October 18th, 2013


I don't think I was very clear, allow me to clarify on what my question is.

@bportlock - my concern is not a patch for the application. I'm already well aware of its developments. I am not looking for a patch, I'm not looking for news regarding the exploit - I'm not concerned about the exploit whatsoever. I'm afraid your answer is irrelevant to my question.

@ray & duncan, many thanks for your helpful comments.

My question is what can be done to sanitise the cookie data.

To re-iterate, because I'm developing my own web application, I want to be aware of any security implications. With this exploit, I don't understand what can be done to sanitise the input to prevent PHP code injection as per the exploit announcement.
Most Valuable Expert 2011
Author of the Year 2014

Are you using WHMCS or not?  Are you looking for a technique that will give you a cookie that is resistant to tampering?  Please clarify, thanks. ~Ray


Hi Ray,

I personally do not use the software. I just wanted to know how the exploit is working (which I think above you described).

And also, what can be done to protect against it.

For example, the person that posted the exploit said it wasn't sanitised. I want to know what sanitisation can be done. Not necessarily a cookie resistant to tampering, but as it stands what can be done to sanitise the cookie data.

For example, with MySQL, you would use prepared statements as a way of sanitising user input for mysql queries to prevent sql injection.

For XSS, you would strip out certain html entities etc.

For this, what would you need to do to sanitise the cookie data to prevent the "php code injection".
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
Most Valuable Expert 2011
Author of the Year 2014
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)


Thanks guys, that's the info I was looking for. Much appreciated.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions