0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

YesWiki PHP Objection Injection

The Issue

PHP Object Deserialization Injection attacks utilise the unserialize function within PHP. The deserialisation of the PHP object can trigger certain methods within the object, allowing the attacker to perform unauthorised actions like execution of code, disclosure of information, etc.

The YesWiki project overly trusted user input when processing the data obtained from a form.

Where the Issue Occurred

Displayed below is the code within the YesWiki project containing the vulnerable code (yeswiki/includes/i18n.inc.php#149):

$conf = unserialize($_POST["config"]);

Disclosure Timeline

  • Issue Reported: 19th July 2018
  • Issue Resolved: <TBD>
  • Blog Post Published: 5th August 2018
  • Applied for CVE: 8th August 2018