WordPress < 3.6.1 PHP Object Injection

WordPress 3.6.1 contains a PHP Object Injection Vulnerability Fix, detected by one of my former students. He also made an extensive writeup about it:

Let’s recap: maybe_serialized(‘i:1;<funkycharacterhere>’) is inserted to the database. As WordPress does not see this as a serialized string (because it doesn’t end in ; or }), this will result in i:1;. When inserted, MySQL doesn’t know how to store it properly, and removes the <funkycharacterhere>. Later on, when the value i:1; is retrieved, it will be unserialized as it now has ; as last character which will make is_serialized() return true. Boom. Vulnerability.

WordPress < 3.6.1 PHP Object Injection →

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.