We help IT Professionals succeed at work.
Private

PHP Code Injection

rvcw
rvcw asked
on
362 Views
Last Modified: 2013-11-03
Hi,

There is an application I use, and an exploit for it was announced recently. The say they can:

The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711

   $sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
   $sortdata = unserialize( base64_decode( $sortdata ) );
   
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.


I'm working on a web application myself and security is something I'm very concerned and careful about.

Can anyone enlighten me and tell me how exactly that exploit works and what can be implemented into that code that will prevent the mentioned exploit.
Comment
Watch Question

Commented:
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
   $sortdata = unserialize( base64_decode( $sortdata ) );

Probably $_COOKE["sortdata'"] is not set yet, and $sortdata="" so that you got the message

Could you check or echo it before executing unserialize  ?
Most Valuable Expert 2011
Author of the Year 2014

Commented:
What application are you talking about.  There is nothing inherently wrong in the code posted here; the only issue would be the use of the $sortdata variable after this process.

See the explanations here:
http://php.net/manual/en/function.base64-decode.php
http://php.net/manual/en/function.unserialize.php
CERTIFIED EXPERT

Commented:
There is a patch on the way so maybe your best policy is to chase them up and find out when the patch will be released.

http://security-geeks.blogspot.co.uk/2013/11/whmcs-5112-php-object-injectoin.html

http://blog.whmcs.com/?t=80206


Security Status Update


As you may be aware, a security issue has been published which affects all known versions of WHMCS.

We are currently aware of the issue and are working on a software update to prevent this attack vector from being successful.

We will be publishing software updates for the versions in Active Development and LTS per our Long Term Support Policy:

http://docs.whmcs.com/Long_Term_Support

Please keep watch on our blog, facebook and twitter to receive the latest updates.


Posted by Matt on Friday, October 18th, 2013

Author

Commented:
I don't think I was very clear, allow me to clarify on what my question is.

@bportlock - my concern is not a patch for the application. I'm already well aware of its developments. I am not looking for a patch, I'm not looking for news regarding the exploit - I'm not concerned about the exploit whatsoever. I'm afraid your answer is irrelevant to my question.

@ray & duncan, many thanks for your helpful comments.

My question is what can be done to sanitise the cookie data.

To re-iterate, because I'm developing my own web application, I want to be aware of any security implications. With this exploit, I don't understand what can be done to sanitise the input to prevent PHP code injection as per the exploit announcement.
Most Valuable Expert 2011
Author of the Year 2014

Commented:
Are you using WHMCS or not?  Are you looking for a technique that will give you a cookie that is resistant to tampering?  Please clarify, thanks. ~Ray

Author

Commented:
Hi Ray,

I personally do not use the software. I just wanted to know how the exploit is working (which I think above you described).

And also, what can be done to protect against it.

For example, the person that posted the exploit said it wasn't sanitised. I want to know what sanitisation can be done. Not necessarily a cookie resistant to tampering, but as it stands what can be done to sanitise the cookie data.

For example, with MySQL, you would use prepared statements as a way of sanitising user input for mysql queries to prevent sql injection.

For XSS, you would strip out certain html entities etc.

For this, what would you need to do to sanitise the cookie data to prevent the "php code injection".
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Most Valuable Expert 2011
Author of the Year 2014
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Thanks guys, that's the info I was looking for. Much appreciated.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions