| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKws9z09aD7r-tndCS6BWgB4Ok+fUZS18BXwbFAqTA2ioWQhiA@mail.gmail.com>
Date: Sun, 19 Apr 2015 14:12:23 -0400
From: Scott Arciszewski <scott@...agonie.com>
To: fulldisclosure@...lists.org, Taylor Otwell <TaylorOtwell@...il.com>
Subject: [FD] Laravel - PHP Object Injection - 4.1, 4.2, 5.0, master
Hi FD Readers,
If you're using cookie-based session storage with any version of the
Laravel Framework since 4.1 (inclusive), and you turned encryption off (I
can't imagine why anyone would do that, but I've seen some weird setups),
you are vulnerable to PHP Object Injection.
The story begins here:
https://github.com/laravel/framework/blob/253d63a550b4508e56ec0f7536e5e4f302661148/src/Illuminate/Session/SessionManager.php#L34
No matter which driver you select, it calls buildSession():
https://github.com/laravel/framework/blob/253d63a550b4508e56ec0f7536e5e4f302661148/src/Illuminate/Session/SessionManager.php#L173
If encryption is turned off, it creates an instance of the Store class,
which contains this gem:
https://github.com/laravel/framework/blob/253d63a550b4508e56ec0f7536e5e4f302661148/src/Illuminate/Session/Store.php#L123
/**
* Read the session data from the handler.
*
* @return array
*/
protected function readFromHandler()
{
$data = $this->handler->read($this->getId());
if ($data)
{
$data = @unserialize($this->prepareForUnserialize($data));
if ($data !== false) return $data;
}
return [];
}
For the record, prepareForUnserialize() just returns whatever you pass it.
If you're using the CookieSessionHandler without encryption, you're
allowing the client to arbitrarily change the session contents. While
that's bad in and of itself, that Laravel passes this data to unserialize()
is even worse.
When I informed Taylor Otwell on their Slack chat about this and
recommended a fix, this is what he had to say:
> we will consider it, however, since encryption is on in laravel
> i wouldn't view it as a security issue
I didn't find any exploitable flaws in their encryption implementation. I
might look again soon.
The takeaway: If any Laravel developers are reading this: If you have
foregone server-side session storage, please make sure you have encryption
turned on.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists