oss-security - CVE request: b2evolution 6.7.6 Object Injection vulnerability

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CAEiFw0URs1e9oVb-Jzh3qDe-bOyEVJo7iL3Bx0YFSTFK9FRB-A@mail.gmail.com>
Date: Fri, 30 Sep 2016 14:54:20 +0800
From: Carl Peng <felixk3y@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: b2evolution 6.7.6 Object Injection vulnerability

hello,
 i reported a object injection vulnerability to b2evolution team, and now
it has been fixed.

Vulnerability:
/htsrv/call_plugin.php #lines 31~40
```
param( 'params', 'string', null ); // serialized
if( is_null($params) )
{ // Default:
$params = array();
}
else
{ // params given. This may result in "false", but this means that
unserializing failed.
$params = @unserialize($params); //object injection
}
```
The parameter of "params" may lead to Object Injection by sending
"params=serialized+object+here"
fixed:
https://github.com/b2evolution/b2evolution/commit/25c21cf9cc4261324001f9039509710b37ee2c4d

This issue was reported by Peng Hua of silence.com.cn Inc. and I would like
to request CVE for this issue (if not done so).

-------------------http://www.silence.com.cn/
penghua@...ence.com.cn
PKAV Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.