Taoguang Chen chtg

#PHP WDDX Serializier Data Injection Vulnerability

Taoguang Chen <@chtg> - 2014.11.2

PHP 在把数组序列化为 WDDX 结构的过程中，没有对数组的键名严格限制，导致可以伪造对象的 WDDX 结构。

##i 序列化对象

PHP 在把对象序列化为 WDDX 结构时，会做如下处理：

#Code Injection Vulnerability via unserialize() Function and var_export() Function in HHVM 3

Taoguang Chen <@chtg> - 2014.10.29

HHVM's var_export() function wrongly handles an undefined class, and unserialize() function wrongly handles an invalid classname.

##HHVM's var_export() function HHVM's var_export() function had a parse error when exporting an undefined class:

#PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患

Taoguang Chen <@chtg> - 2014.11.11

##PHP Session 序列化及反序列化处理器

PHP 内置了多种处理器用于存取 $_SESSION 数据时会对数据进行序列化和反序列化，常用的有以下三种，对应三种不同的处理格式：

处理器	对应的存储格式

#MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability

Taoguang Chen <@chtg> - 2014.03.06

MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution.

##I. MyBB's unset_globals() Function Bypass

When PHP's register_globals configuration set on, MyBB will call unset_globals() function, all global variables registered by PHP from $_POST, $_GET, $_FILES, and $_COOKIE arrays will be destroyed.

#Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]

Taoguang Chen <@chtg> - Write Date: 2015.1.29 - Release Date: 2015.2.20

A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22

#Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone

Taoguang Chen <@chtg> - Write Date: 2015.1.29 - Release Date: 2015.2.20

A type confusion vulnerability was discovered in unserialize() with DateTimeZone object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks.

Affected Versions

Affected is PHP 5.6.x
Affected is PHP 5.5.x

#Use After Free Vulnerability in unserialize() [CVE-2015-2787]

Taoguang Chen <@chtg> - Write Date: 2015.2.3 - Release Date: 2015.3.20

A use-after-free vulnerability was discovered in unserialize() with a specially defined object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23

#Use After Free Vulnerability in unserialize() with DateInterval

Taoguang Chen <@chtg> - Write Date: 2015.2.28 - Release Date: 2015.3.20

A use-after-free vulnerability was discovered in unserialize() with DateInterval object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23

Type Confusion Vulnerability in SoapClient

Taoguang Chen <@chtg> - Write Date: 2015.3.1 - Release Date: 2015.3.20

A type confusion vulnerability was discovered in SoapClient object's __getCookies() method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23

	PHP 脚本多字节字符解析模式带来的安全隐患

	> Taoguang Chen <github.com/chtg> - 2014.12.15

	多字节字符解析模式
	========

	PHP 从 5.3 起引入了多字节字符解析模式，在 5.3 版本中开启该模式较为麻烦，需要在编译时开启相应参数，并在 php.ini 文件和脚本中进行配置。但 PHP 从 5.4 起默认支持多字节字符解析模式，只需通过 php.ini 文件中配置即可开启该模式。

	我们先来看看 PHP 提供的一些配置选项：