Bug #21179 :: PHP Object Injection through PHP Serializer

Search for bugs
Package Bug Statistics

Package home | Report new bug | New search | Development Roadmap

Status: Open | Feedback | All | Closed Since Version 0.5.8

Bug #21179	PHP Object Injection through PHP Serializer
Submitted:	2017-02-07 00:09 UTC
From:	ryat	Assigned:
Status:	Open	Package:	HTML_AJAX (version 0.5.8)
PHP Version:	Irrelevant	OS:
Roadmaps:	(Not assigned)
Subscription	Your email:

Comments Add Comment Add patch

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem : 17 - 1 = ?

[2017-02-07 00:09 UTC] ryat (Taoguang Chen)

Description:
------------
The fixes for bug#21165 can be bypassed since PHP's deserialization 
parser quirks.

PoC:
```
o:1:"i:0;i:1;}
```