Web Application Attacks: PHP Object Injection

  • 423
  •  
  •  
  • 1
  •  
  •  
  •  
    424
    Shares

PHP Object Injection or POI is a vulnerability which enables an attacker to change a PHP object in such a way that the application flow changes, this in turn results in different issues such as remote code execution, directory traversal, and so on.

The main reason responsible for this is user-supplied input getting passed to an unserialize() function call which enables the provided code to be executed. The condition is in fact so dire that the official PHP documentation for unserialize() mentions the following warning:

Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.

In PHP, data serialization is used to represent a PHP object or an array into a storable format which can be stored in a flat file, database, and so on. This enables the developer to store complex objects outside the life of the running script and then instantiate the object at a later time or later execution from the stored location like a database. The object simply lives on even after the script’s runtime is over.
The deserialization or instantiation process of a stored object is done by calling unserialize() and serialization is done through serialize().

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!