Taoguang Chen <@chtg> - Write Date: 2015.3.1 - Release Date: 2015.3.20
A type confusion vulnerability was discovered in SoapClient object's __getCookies() method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23
#Use After Free Vulnerability in unserialize() with DateInterval
Taoguang Chen <@chtg> - Write Date: 2015.2.28 - Release Date: 2015.3.20
A use-after-free vulnerability was discovered in unserialize() with DateInterval object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23
#Use After Free Vulnerability in unserialize() [CVE-2015-2787]
Taoguang Chen <@chtg> - Write Date: 2015.2.3 - Release Date: 2015.3.20
A use-after-free vulnerability was discovered in unserialize() with a specially defined object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code.
Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23
#Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone
Taoguang Chen <@chtg> - Write Date: 2015.1.29 - Release Date: 2015.2.20
A type confusion vulnerability was discovered in unserialize() with DateTimeZone object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks.
Affected is PHP 5.6.x
Affected is PHP 5.5.x
#Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]
Taoguang Chen <@chtg> - Write Date: 2015.1.29 - Release Date: 2015.2.20
A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22
| PHP 脚本多字节字符解析模式带来的安全隐患 | |
| > Taoguang Chen <github.com/chtg> - 2014.12.15 | |
| 多字节字符解析模式 | |
| ======== | |
| PHP 从 5.3 起引入了多字节字符解析模式,在 5.3 版本中开启该模式较为麻烦,需要在编译时开启相应参数,并在 php.ini 文件和脚本中进行配置。但 PHP 从 5.4 起默认支持多字节字符解析模式,只需通过 php.ini 文件中配置即可开启该模式。 | |
| 我们先来看看 PHP 提供的一些配置选项: |
#MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability
Taoguang Chen <@chtg> - 2014.03.06
MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution.
##I. MyBB's unset_globals() Function Bypass
When PHP's register_globals configuration set on, MyBB will call unset_globals() function, all global variables registered by PHP from $_POST, $_GET, $_FILES, and $_COOKIE arrays will be destroyed.
#PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患
Taoguang Chen <@chtg> - 2014.11.11
##PHP Session 序列化及反序列化处理器
PHP 内置了多种处理器用于存取 $_SESSION 数据时会对数据进行序列化和反序列化,常用的有以下三种,对应三种不同的处理格式:
| 处理器 | 对应的存储格式 |
|---|
#Code Injection Vulnerability via unserialize() Function and var_export() Function in HHVM 3
Taoguang Chen <@chtg> - 2014.10.29
HHVM's var_export() function wrongly handles an undefined class, and unserialize() function wrongly handles an invalid classname.
##HHVM's var_export() function HHVM's var_export() function had a parse error when exporting an undefined class:
#PHP WDDX Serializier Data Injection Vulnerability
Taoguang Chen <@chtg> - 2014.11.2
PHP 在把数组序列化为 WDDX 结构的过程中,没有对数组的键名严格限制,导致可以伪造对象的 WDDX 结构。
##i 序列化对象
PHP 在把对象序列化为 WDDX 结构时,会做如下处理: