[TYPO3-ttnews] TYPO3-EXT-SA-2014-003: Insecure Unserialize
Jigal van Hemert
jigal.van.hemert at typo3.org
Thu Feb 13 12:13:18 CET 2014
Hi,
On 13-2-2014 10:47, Fabian Thommen wrote:
> Mich würde auch interessieren, was da im schlimsten Fall passieren kann.
> Muss man BE oder FE User sein, um das auszunutzen?
Because (un)serialize was used it was possible to send serialized
objects in the cookie. If the classes of those objects have a __wakeup()
or __destruct() function those functions are called after unserializing
and at the end of the request respectively.
By picking the right class from tt_news or the core you can execute that
wakeup or destruct function.
Because it only needed to store an array with data using json_encode /
decode was the easiest fix.
This is also mentioned in the PHP documentation [1]
[1] http://www.php.net/unserialize#refsect1-function.unserialize-notes
--
Jigal van Hemert
TYPO3 CMS Active Contributor
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-tt-news
mailing list