iBlog - Ilia Alshanetsky

While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting.

As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used. Herein lies the abuse, the attack simply needs to specify a short serialized string that looks like a serialized version of a supposed PDO object.




When PHP tries to unserialize it, it determines that PDO class has a __wakeup() method and promptly calls it. However, since the method is disallowed, it triggers an exception which, if left uncaught terminates the script with a fatal error. Since most people do not expect unserialize() to throw exceptions leave it outside of try {} & catch() {} block, the exception is left uncaught. This, in PHP triggers a fatal error promptly terminating the execution of the script. Furthermore, if error displaying is enabled, which it is by default on most installs, all the exception information will be dumped to screen. This information happens to contain a code flow backtrace, which contains oodles of potentially sensitive information.

So here goes another reason for not passing serialized data via user accessible means and yet another demonstration why leaving “display_errors” in the ON position is a bad idea.