php unserialize vulnability / risc of remote code execution (rce) ??
Davical 1.1.9.2-1 as available in the ubuntu 20.04 repos
Dear Hackers,
by the end of last week i received an urgent security "heads up" concerning another php app, mentioning that there is a high risc and possibility of RCE when used php's "unserialize" function unproperly. however there is no CVE i can give you just yet about that.
A Dev forwarded the following article to me about the possible risc/cause:
https://paragonie.com/blog/2016/04/securely-implementing-de-serialization-in-php
from https://paragonie.com/blog/2016/04/securely-implementing-de-serialization-in-php
" In PHP 7, they added a second optional parameter to unserialize() that allows you to specify a whitelist of allowed classes (where "none" is an acceptable whitelist) if you're only serializing scalar types.
data = serialize(foo); // PROBABLY SAFE, restrictive: object = unserialize(data, ['allowed_classes' => false]); // PROBABLY SAFE, unless an attacker can control the whitelist: $whitelist = ['MyProject\OtherNamespace\ObjectAllowed']; object = unserialize(data, ['allowed_classes' => $whitelist]); // DEFINITELY UNSAFE: hackMe = unserialize(data, ['allowed_classes' => true]); hackMe = unserialize(data);
You might think, with PHP 7, that using one of the PROBABLY SAFE configurations is good enough, but beware: Many exploits affecting PHP in the past few years were the result of unserialize() bugs.
Recommendations:
Avoid ever passing user data to unserialize()
If you must unserialize user data in a PHP 7 project, make sure you don't allow arbitrary classes
See below.
The standard recommendation made by experienced PHP developers (which is also present in the PHP manual entry for unserialize()) is to instead use JSON encoding when handling user input. "
Since i am not into web programming nor php at all, i am unable to evaluate this problem or risc. **but "grep"-ing through the daviCal installation path shows that with the Version i still use (Davical 1.1.9.2-1 as available in the ubuntu 20.04 repos) that it uses the unserialize() function with just ONE ARGUMENT. **
I therefor google searched a while for any known vulnerability within davical and also searched issues and changelog here on gitlab, without success.
So i just wanted to forward this "supposedly urgent" heads up to you and ask you if this is a thing or is this nothing to worry about ?
sorry for the somewhat unprofessional issue/report. don't have anything "more substantial" just now.
thanks for the excellent work
best regards
Axel