php - Cookie (un)serialization in Laravel 5.5.42

441

Security release 5.5.42 "disables all serialization / unserialization of cookie values" - https://laravel-news.com/laravel-5-6-30 But I have my values serialized still, only not unserialized. While I do

Cookie::get('key')

I get something like

"s:5:"value";"

Settingprotected static $serialize = true; in App\Http\Middleware\EncryptCookies helps, and so does

unserialize(Cookie::get('key'))

But as I understand unserialize() itself is the source of the problem with this security release, not what I do with the unserialized value later, so this kinda beats the purpose of the update. Why are my cookies serialized here and how to fix this?

823

Answer

Solution:

This is actually worth an answer as the question itself is quite interesting.

From a Laravel perspective this isn't a cookie problem as much as it's aAPP_KEY config key problem combined with serialize/unserialize.

Relevant quote from the docs:

However, if your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application.

The relevant part is thisvulnerabilities inherent to PHP object serialization / unserialization.

Usually the form of explot is Object Injection(the most common at least).

OWASP has a very good example here.

Even php.net has a red warning for it's unserliaze function.

Warning Do not pass untrusted user input to unserialize()

Cookies come from a user and users are NOT to be trusted.

Since an example is in order I'll just leave the OWASP one here too:

class Example1
{
   public $cache_file;

   function __construct()
   {
      // some PHP code...
   }

   function __destruct()
   {
      $file = "/var/www/cache/tmp/{$this->cache_file}";
      if (file_exists($file)) @unlink($file);
   }
}

// some PHP code...

$user_data = unserialize($_GET['data']);

// some PHP code...

In this example an attacker might be able to delete an arbitrary file via a Path Traversal attack, for e.g. requesting the following URL:

http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}

With that said, I highly recommend reading(even briefly) about serialize/unserliaze vulnerabilities.

If you're using a proper framework, usually, you'll have most security things taken care of IF you don't go out of your way to introduce some vulnerability and you stick to the framework's standards.

752

Answer

Solution:

It's less efficient but in case of structured data, I replace serialize/unserialize with json_encode/json_decode.

People are also looking for solutions to the problem: Xampp php permission denied when trying to post images using imgur api?

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.