[wp-trac] [WordPress Trac] #17375: Serialized option values broken for classes with Serializable interface

WordPress Trac noreply at wordpress.org
Thu May 28 05:13:36 UTC 2015 

#17375: Serialized option values broken for classes with Serializable interface
--------------------------------+--------------------------
 Reporter:  hakre               |       Owner:  markjaquith
     Type:  defect (bug)        |      Status:  reviewing
 Priority:  normal              |   Milestone:  4.3
Component:  Options, Meta APIs  |     Version:  2.0.5
 Severity:  normal              |  Resolution:
 Keywords:  close               |     Focuses:
--------------------------------+--------------------------

Comment (by nacin):

 I made this comment while preparing for a talk (see https://poststatus.com
 /the-trojan-emoji/), so please pardon the quick drive-by originally.

 Here's some overall details on PHP object injection:
 https://www.owasp.org/index.php/PHP_Object_Injection.

 I'll try to explain the vulnerability here succinctly:
  * If the user can arbitrarily pass a string to `unserialize()`, then it
 can be an object injection vulnerability which could lead to any number of
 other issues, such as arbitrary code execution. This is explained in the
 above link.
  * Right now, if the user tries to insert a serialized string (with the
 hope that it is unserialized), we serialize it a second time. See
 `maybe_serialize()` calling `is_serialized()`.
  * Right now, someone can insert the string
 `C:16:"Serialized_Class":50:{a:3:{i:0;s:3:"one";i:1;s:3:"two";i:2;s:5:"three";}}`.
 It will not pass `is_serialized()`, which means it will be treated as a
 simple scalar that can be inserted into the DB.
  * If we add this patch to a future WordPress version, then any existing
 `C:` strings will suddenly be unserializable. See the same
 `is_serialized()` in `maybe_unserialize()`. Thus, we would be turning a
 harmless string (on original insert) into a sleeping exploit waiting to be
 unserialized (on a future select).

 Thus, `is_serialized()` is frozen in time. (There could be worse things in
 life.)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/17375#comment:37>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list