1. PHP / Говнокод #24800

    0

    1. 01
    2. 02
    3. 03
    4. 04
    5. 05
    6. 06
    7. 07
    8. 08
    9. 09
    10. 10
    11. 11
    12. 12
    13. 13
    14. 14
    15. 15
    16. 16
    17. 17
    18. 18
    19. 19
    20. 20
    21. 21
    22. 22
    23. 23
    24. 24
    25. 25
    26. 26
    27. 27
    // CVE-2012-5692
    
    /* 4015. */        static public function get($name) 
    /* 4016. */        { 
    /* 4017. */            // Check internal data first 
    /* 4018. */            if ( isset( self::$_cookiesSet[ $name ] ) ) 
    /* 4019. */            { 
    /* 4020. */                return self::$_cookiesSet[ $name ]; 
    /* 4021. */            } 
    /* 4022. */            else if ( isset( $_COOKIE[ipsRegistry::$settings['cookie_id'].$name] ) ) 
    /* 4023. */            { 
    /* 4024. */                $_value = $_COOKIE[ ipsRegistry::$settings['cookie_id'].$name ]; 
    /* 4025. */    
    /* 4026. */                if ( substr( $_value, 0, 2 ) == 'a:' ) 
    /* 4027. */                { 
    /* 4028. */                    return unserialize( stripslashes( urldecode( $_value ) ) ); 
    /* 4029. */                } 
    
    /*  
    The vulnerability is caused due to this method unserialize user input passed through cookies without a proper 
    sanitization. The only one check is done at line 4026,  where is controlled that the serialized string starts 
    with 'a:',  but this is not  sufficient to prevent a  "PHP Object Injection"  because an attacker may send  a 
    serialized string which represents an array of objects.  This can be  exploited to execute arbitrary PHP code 
    via the  "__destruct()" method of the  "dbMain" class,  which calls the "writeDebugLog" method to write debug 
    info into a file.  PHP code may  be injected  only through the  $_SERVER['QUERY_STRING']  variable,  for this 
    reason successful exploitation of this vulnerability requires short_open_tag to be enabled. 
    */

    Если вы думаете, что самое плохое, что ждёт ваш уютный сайт на «PHP» — это Роберт-брось-таблицу, то вы глубоко ошибаетесь.

    CSRF verification passed.

    Запостил: gost, 23 Сентября 2018

    Комментарии (45) RSS

    Добавить комментарий