PHP Classes

cookie_oauth_client_class uses unserialize() cookie value

Recommend this page to a friend!

      PHP OAuth Library  >  PHP OAuth Library package blog  >  How Can the PHP OAuth...  >  All threads  >  cookie_oauth_client_class uses...  >  (Un) Subscribe thread alerts  
Subject:cookie_oauth_client_class uses...
Summary:one shouldnt unserialize() a string originating by the client
Messages:3
Author:Markus S.
Date:2019-07-10 08:15:06
 

  1. cookie_oauth_client_class uses...   Reply   Report abuse  
Picture of Markus S. Markus S. - 2019-07-10 08:15:06
cookie_oauth_client_class ::Unserialize() works on a untrusted string supplied by the browser. its a decrypted string with 3DES but still its a user supplied string.

3DES is a encryption which was broken in 2016.

calling unserialize() on user supplied string is a well known security vulnerability. it can be misused to do 'Object Injection'.
thats one of the top 10 vulnerabilities within the OWASP report from 2017, see A8 on https://www.owasp.org/index.php/Top_10-2017_Top_10

in case we could use e.g. json_encode() or similar this vulnerability would go away

see also https://www.google.de/search?q=php+serialize+vulnerability

  2. Re: cookie_oauth_client_class uses...   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2019-07-10 19:46:36 - In reply to message 1 from Markus S.
Hello Markus,

Thanks for the notice. This is just a solution for those that do not want to use a database from some reason. I do not use this myself.

Anyway, besides using json_encode() instead of serialize(), what do you suggest as an alternative for encryption to make it more secure?

  3. Re: cookie_oauth_client_class uses...   Reply   Report abuse  
Picture of Markus S. Markus S. - 2019-07-15 18:24:28 - In reply to message 2 from Manuel Lemos
E.g. https://github.com/defuse/php-encryption Could work

I dont think there is a „secure“ builtin one-liner