[nycphp-talk] Latest security alert ... CVE-2006-4812
csnyder
chsnyder at gmail.com
Thu Oct 12 08:24:20 EDT 2006
On 10/11/06, Jon Baer <jonbaer at jonbaer.com> wrote:
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4812
> http://www.hardened-php.net/advisory_092006.133.html
>
> Looks like everyone should patch up no? ...
Yes, but from the way I read it, this is only an issue if you
unserialize a string directly from user input. The authors give the
example of an application that serializes some structure and stores it
in a cookie value for deserialization on subsequent requests.
The attack is based on constructing a fake serialized string that
includes an array with a very large number of reported elements,
something like "a:9999999999999999:{...}".
I wouldn't be surprised to find that unserialize() is vulnerable to
other, similar attacks, so if you're code is affected by this it would
be much better to use some other mechanism (storing a record id in the
cookie, or using php sessions). Or use hardened php, apparently.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list