0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

Froxlor PHP Objection Injection

· Sajeeb Lohani · CVE-2018-1000527

The Issue

PHP Object Deserialization Injection attacks utilise the unserialize function within PHP. The deserialisation of the PHP object can trigger certain methods within the object, allowing the attacker to perform unauthorised actions like execution of code, disclosure of information, etc.

The Froxlor project overly trusted user input (administrative users), feeding this input directly into the unserialize function of PHP.

Where the Issue Occurred

Displayed below is the code within the Froxlor project, in the admin_domains.php file, where the user input is passed into the unserialize function:

$ssl_ipandports = array();
if (isset($_POST['ssl_ipandport']) && ! is_array($_POST['ssl_ipandport'])) {
	$_POST['ssl_ipandport'] = unserialize($_POST['ssl_ipandport']);
}

Disclosure Timeline

  • Issue Reported: 29th May 2018
  • Issue Resolved: 29th May 2018
  • Blog Post Published: 31st May 2018
  • Applied for CVE: 24th June 2018