NYCPHP Meetup

NYPHP.org

[nycphp-talk] Latest security alert ... CVE-2006-4812

csnyder chsnyder at gmail.com
Thu Oct 12 08:24:20 EDT 2006


On 10/11/06, Jon Baer <jonbaer at jonbaer.com> wrote:
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4812
> http://www.hardened-php.net/advisory_092006.133.html
>
> Looks like everyone should patch up no? ...

Yes, but from the way I read it, this is only an issue if you
unserialize a string directly from user input. The authors give the
example of an application that serializes some structure and stores it
in a cookie value for deserialization on subsequent requests.

The attack is based on constructing a fake serialized string that
includes an array with a very large number of reported elements,
something like "a:9999999999999999:{...}".

I wouldn't be surprised to find that unserialize() is vulnerable to
other, similar attacks, so if you're code is affected by this it would
be much better to use some other mechanism (storing a record id in the
cookie, or using php sessions). Or use hardened php, apparently.

-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list