Home / Vulnerability Database / PHP : Object injection
PHP
PHP : Object injection
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
OWASP ASVS
PCI DSS 4.0
CWE
Overview
The application uses the function unserialize(). During the object deserialization the magic method __wakeup() is automatically executed. An attacker can create a serialized object with the data not provided by the specification, submit it as an argument to unserialize() and thus execute __wakeup() with incorrect or malicious parameters. For example, if __wakeup() deletes the file, an attacker can influence which file will be deleted. Object injection can also occur through other magical methods, in particular, __destruct().
References
- OWASP Top 10 2017-A1-Injection
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
- OWASP: PHP Object Injection
- Understanding PHP Object Injection - securitycafe.ro
- Unserialize: New Techniques To Exploit PHP Object Injection (pdf) - Arseny Reutov / ptsecurity.com
- Magic Methods - php.net
- CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
MEDIUM
DerScanner Severity Score
Do you want to fix PHP : Object injection in your application?
See also
PHP
PHP : Null salt
PHP
PHP : Empty password
PHP