# Object Injection Analyzer PRO
Category | Severity | Time To Fix |
---|---|---|
🛡️ Security | Major | 5 minutes |
Class: Enlightn\EnlightnPro\Analyzers\Security\ObjectInjectionAnalyzer
# Introduction
This analyzer scans your application code to detect any unserialize
function calls on untrusted user input data, which may expose your application to object injection attacks.
Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
Consider the following code:
class SomeClass
{
public $cache_file;
function __destruct()
{
$file = "/var/www/cache/tmp/{$this->cache_file}";
if (file_exists($file)) @unlink($file);
}
}
Say, you have a controller that unserializes user request data:
$user_data = unserialize($request->input('data'));
The attacker will now be able to delete an arbitrary file by setting the data query string to O:8:"SomeClass":1:{s:10:"cache_file";s:15:"../../index.php";}
. When this string is unserialized, the SomeClass
object is created which deletes the cache file on __destruct
. This means that the attacker can provide the path to any file in a custom constructed serialized string to delete the file.
This is just one example. This vulnerability can lead to a wide variety of attacks including code injection, SQL injection, path traversal and application denial of service, depending on the context.
# How To Fix
If you want to fix the security vulnerability, simply remove all unserialize
function calls on user request data.