PHPDeveloper.org: Ilia Alshanetsky's Blog: Another unserialize() abuse

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

Job Posting: Vermont Information Processing Seeks Senior/Lead PHP Developer (Burlington, VT)

Job Posting: Mediware Blood Center Technologies Seeks PHP Software Developer (Jacksonville, FL)

PHP Zone: Can Learning Drupal Get You a Job?

Job Posting: Tilllate Media Seeks Senior PHP Developer (Glasgow, UK)

Job Posting: Agency Matrix Seeks Senior Application Developer (Addison, TX)

Job Posting: HUGE Seeks Freelance Zend/WordPress Developer (Brooklyn, NY)

Job Posting: Abbott Laboratories Seeks PHP Developer (Irving, TX)

Job Posting: BetFair Seeks Lead Software Engineer (Web)

Job Posting: Uplifting Innovations Seeks Lead PHP Developer (Portland, OR)

Job Posting: Ganz Seeks PHP Developer (Toronto, Ontario)

News Archive

Community News: Symfony-Check.org (A Symfony Deployment Checklist)

Matt Williams' Blog: High level search with PHP and Apache Solr

Brian Swan's Blog: Retrieving Data with the OData SDK for PHP

Brandon Savage's Blog: The 15 Minute Rule Of Software Development

PHPBuilder.com: Create Custom Google Analytics Interfaces Using PHP

NETTUTS.com: Image Resizing Made Easy with PHP

Site News: Popular Posts for the Week of 03.19.2010

Symfony Blog: Running a TV station with symfony

Eli White's Blog: Conferences, Speakers & Presentations

Ibuildings techPortal: Zend Studio formatted for Zend Framework and ATK

Ilia Alshanetsky's Blog:
Another unserialize() abuse

by Chris Cornutt March 23, 2006 @ 06:59:23

With yet another reason not to trust the users of your application (mainly the data they send you), Ilia Alshanetsky has details on an issue that could be caused by the unserialize() function in PHP.

While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting.

As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used.

He uses an example with PDO and a string of a serialized "supposed PDO object" to illustrate how, without the proper handling, it could lead to a fatal error in the script. The end result of the fatal error, if displaying errors is still on, could be that somewhat sensitive information could be displayed to the viewer.

0 comments voice your opinion now!
unserialize abuse __wakeup fatal error display unserialize abuse __wakeup fatal error display

Similar Posts

SitePoint PHP Blog: Pimpin Harry’s pretty bluescreen

Jonnay\'s Blog: An issue with PHP\'s error handling

Stefan Priebsch's Blog: Turning errors into exceptions

Jani Hartikainen's Blog: Common programming errors and how to avoid them

DevShed: Error Handling in PHP - Coding Defensively

Community Events

Don't see your event here?
Let us know!

All content copyright, 2010 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework