chtg

#PHP WDDX Serializier Data Injection Vulnerability

Taoguang Chen <@chtg> - 2014.11.2

PHP 在把数组序列化为 WDDX 结构的过程中，没有对数组的键名严格限制，导致可以伪造对象的 WDDX 结构。

##i 序列化对象

PHP 在把对象序列化为 WDDX 结构时，会做如下处理：

chtg

#MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability

Taoguang Chen <@chtg> - 2014.03.06

MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution.

##I. MyBB's unset_globals() Function Bypass

When PHP's register_globals configuration set on, MyBB will call unset_globals() function, all global variables registered by PHP from $_POST, $_GET, $_FILES, and $_COOKIE arrays will be destroyed.

chtg

PHP 脚本多字节字符解析模式带来的安全隐患

	> Taoguang Chen <github.com/chtg> - 2014.12.15

多字节字符解析模式
========

PHP 从 5.3 起引入了多字节字符解析模式，在 5.3 版本中开启该模式较为麻烦，需要在编译时开启相应参数，并在 php.ini 文件和脚本中进行配置。但 PHP 从 5.4 起默认支持多字节字符解析模式，只需通过 php.ini 文件中配置即可开启该模式。

我们先来看看 PHP 提供的一些配置选项：

chtg

#Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]

Taoguang Chen <@chtg> - Write Date: 2015.1.29 - Release Date: 2015.2.20

A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22

chtg

#Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone

Taoguang Chen <@chtg> - Write Date: 2015.1.29 - Release Date: 2015.2.20

A type confusion vulnerability was discovered in unserialize() with DateTimeZone object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks.

Affected Versions

Affected is PHP 5.6.x
Affected is PHP 5.5.x

chtg

#Use After Free Vulnerability in unserialize() [CVE-2015-2787]

Taoguang Chen <@chtg> - Write Date: 2015.2.3 - Release Date: 2015.3.20

A use-after-free vulnerability was discovered in unserialize() with a specially defined object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23

chtg

Type Confusion Infoleak Vulnerabilities in SoapClient

Taoguang Chen <@chtg> - Write Date: 2015.3.1 - Release Date: 2015.3.20

Four type confusion vulnerabilities were discovered in SoapClient object's some methods that can be abused for leaking arbitrary memory blocks.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23

chtg

Type Confusion Infoleak and Heap Overflow Vulnerability in unserialize() with exception

Taoguang Chen <@chtg> - Write Date: 2015.3.3 - Release Date: 2015.4.28

A type confusion vulnerability was discovered in exception object's __toString()/getTraceAsString() method that can be abused for leaking arbitrary memory blocks or heap overflow.

Affected Versions

Affected is PHP 5.6 < 5.6.8
Affected is PHP 5.5 < 5.5.24

chtg

#Use After Free Vulnerability in unserialize() with SplObjectStorage

Taoguang Chen <@chtg> - Write Date: 2015.7.30 - Release Date: 2015.8.7

A use-after-free vulnerability was discovered in unserialize() with SplObjectStorage object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.12
Affected is PHP 5.5 < 5.5.28

chtg

#Use After Free Vulnerability in unserialize() with SplDoublyLinkedList

Taoguang Chen <@chtg> - Write Date: 2015.7.30 - Release Date: 2015.8.7

A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.12
Affected is PHP 5.5 < 5.5.28