Home Original page

WDDX Packet Injection Vulnerability in wddx_serialize_value()

Bug #72142 WDDX Packet Injection Vulnerability in wddx_serialize_value()
Submitted: 2016-05-03 12:14 UTC Modified: 2016-05-10 05:30 UTC
From: taoguangchen at icloud dot com Assigned:
Status: Closed Package: WDDX related
PHP Version: 5.6.21 OS: *
Private report: No CVE-ID: None

 [2016-05-03 12:14 UTC] taoguangchen at icloud dot com

Description:
------------
```
void php_wddx_packet_start(wddx_packet *packet, char *comment, int comment_len)
{
	php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
	if (comment) {
		php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
		php_wddx_add_chunk_ex(packet, comment, comment_len);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
		php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
...
PHP_FUNCTION(wddx_serialize_value)
{
...
	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z|s", &var, &comment, &comment_len) == FAILURE) {
		return;
	}
...
	php_wddx_packet_start(packet, comment, comment_len);
```

The wddx_serialize_value()'s second parameter `comment` is not filtered, that results in arbitrarily wddx packet injection vulnerability.

PoC:
```
<?php

$wddx = wddx_serialize_value('', '</comment></header><data><struct><var name="php_class_name"><string>stdClass</string></var></struct></data></wddxPacket>');
var_dump(wddx_deserialize($wddx));

?>
```

Fix:
```
void php_wddx_packet_start(wddx_packet *packet, char *comment, int comment_len)
{
	php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
	if (comment) {
+		size_t comment_esc_len;
+		char *comment_esc;
+		comment_esc = php_escape_html_entities(comment, comment_len, &comment_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
		php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
-		php_wddx_add_chunk_ex(packet, comment, comment_len);
+		php_wddx_add_chunk_ex(packet, comment_esc, comment_esc_len);
		php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
		php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
		efree(comment_esc);
	} else {
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2016-05-10 05:30 UTC] stas@php.net

-Type: Security +Type: Bug

 [2016-05-10 05:30 UTC] stas@php.net

Doesn't look like security issue - you can just compose any string you like and call it "wddx serialized", so I don't see any vulnerability here.

 [2016-05-10 05:30 UTC] stas@php.net

-PHP Version: 5.5.35 +PHP Version: 5.6.21

 [2016-07-30 13:55 UTC] nikic@php.net

-Status: Open +Status: Closed