This does not appear to be the case. To the best of my knowledge, PHP's serialization behaves much like Java's. If you serialize an object, the data gets serialized, not the code. In fact, if you unserialize an object without a matching class in the namespace, the resulting instance in PHP is the class __PHP_Incomplete_Class Object. The __wake() method that is called on unserialization is not defined in the serialized data, but rather in the class definition in the code itself. If one can really inject executable code into a serialized PHP object that easily, then PHP itself has a big problem. However, I do not believe that the serialization routines are designed to permit this. If they are, I'd like to see an example of the exploit.
My attempt to write an exploit of the type you describe fails. Here is the code: Malicious.class.php: <?php class Malicious { public $data = 'default'; public function __wakeup() { header('Content-type: text/plain'); echo "Hello world, I'm Evil!\n"; exit; } } --- out.php <?php require_once('Malicious.class.php'); $output = new Malicious(); $output->data = 'changed'; header('Content-type: text/plain'); echo serialize($output); Outputs: O:9:"Malicious":1:{s:4:"data";s:7:"changed";} --- in_withmalice.php <?php require_once('Malicious.class.php'); $output = unserialize(file_get_contents('http://localhost/pstest/out.php')); header('Content-type: text/plain'); print_r($output); Outputs: Hello world, I'm Evil! --- in_withoutmalice.php <?php $output = unserialize(file_get_contents('http://localhost/pstest/out.php')); header('Content-type: text/plain'); print_r($output); Outputs: __PHP_Incomplete_Class Object ( [__PHP_Incomplete_Class_Name] => Malicious [data] => changed ) Now I agree with your basic intuition. Any data that gets passed to an application from an external source should never be completely trusted, whether it's a Web service, a form, or something else. Still, I doubt that consuming PHP serializations is fundamentally unsafe. - David --- David Cloutman <dclout...@co.marin.ca.us> Electronic Services Librarian Marin County Free Library -----Original Message----- From: Code for Libraries [mailto:code4...@listserv.nd.edu] On Behalf Of Tim Spalding Sent: Tuesday, December 30, 2008 11:05 AM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] Mime type for PHP serialized objects Don't you think that's rather dangerous? PHP serialization can include objects, and it calls wakeup() on the object if that exists after unserialization. In theory that could do almost anything, right? Tim On Tue, Dec 30, 2008 at 1:55 PM, Cloutman, David <dclout...@co.marin.ca.us> wrote: > I have a quick question for any PHP developers out there. > > I am writing a SOA application to manage my library's events calendar. > The basic idea is to create a public API that our web site or other > community organizations can use to query and consume information. I am > using JSON as the default output for information, but would like to add > the option of outputting native serialized PHP data structures as > created by the serialized() function. > > My question is, what mime type should I use for serialized PHP data? The > best suggestion I saw through Google was application/vnd.php.serialized, > which was posted as a proposal. I don't know if any standard was adopted > though. Has anyone else thought about this issue? > > - David > > > > --- > David Cloutman <dclout...@co.marin.ca.us> > Electronic Services Librarian > Marin County Free Library > > Email Disclaimer: http://www.co.marin.ca.us/nav/misc/EmailDisclaimer.cfm > -- Check out my library at http://www.librarything.com/profile/timspalding