Is using JSON really enough to fix PHP object insertion?

Question

So I was just reading up on the OWASP site about PHP Object Injection. According to their site, the suggested fix is to not use serialze and unserialize but to use json_encode and json_decode.

However, after doing a few tests in a limited amount of time I have found that this isn't the case at all. For example (working Codepad example):

<?php 
function e($method, $args) {
    return $method($args); 
}

var_dump(call_user_func_array("e", array((string)array_shift(json_decode("[\"system\"]")), "ls" )));

?>

So, my questions are:

Would you agree with me that this is not the case, and there should be more of a suggested fix rather than just using json_* functions?
Am I actually correct in assuming what I have done is correct?

Guilherme Sehn · Accepted Answer · 2014-07-16T12:00:05.133

5

Unlike unserialize, if you execute json_decode alone it will not be able to instantiate any different variable types besides simple ones (e.g. arrays, string, int, float, etc), so it is fairly safe to run it with user input data.

The problem in your code is with the e function. If the parameters you pass to it come from an untrusted source such as user input, some attacker could just pass the name of a potentially dangerous function that exists in your code, so e would execute it and it could harm your application. You should never let this happen.

edited Jul 16 '14 at 12:00

answered Jul 16 '14 at 11:54

Guilherme Sehn

468
1
4
10

Relevant: http://websec.io/2014/06/13/Fun-with-Input-Handling-regex-logs-serializing.html (see the section on "Poor unserialize handling") – enygma Jul 16 '14 at 13:58
Okay, I see what you're saying. I would just like to add that the script was made to be exploitable, not to be safe :) Thanks for the answer! – DarkMantis Jul 17 '14 at 08:41

score 3 · Answer 2 · answered Jul 17 '14 at 12:54

I'm the author of the OWASP page about PHP Object Injection. Like already said by Guilherme Sehn, json_decode will not allow for object deserialization, and the snippet code you've posted contains a vulnerability which doesn't concern PHP Object Injection. So, I think it's correct to say that using JSON functions is enough to prevent object injection attacks. This should also be the reason why some time after creating that OWASP page the PHP guys have added a note on the unserialize reference page: http://php.net/manual/en/function.unserialize.php#refsect1-function.unserialize-notes

score 1 · Answer 3 · edited Mar 02 '18 at 15:31

1

Fix for what?

Serialized objects might be usefull, but you should just never ever unserialze() user-input; this WILL fail and there WILL be a smarter guy that will find this vulnerability.

The OWASP-page is very wrong IMHO. Jt just should issue a big red warning: Don't use unserialize on user data!

Or am I wrong here?

edited Mar 02 '18 at 15:31

Anders

64,406
24
178
215

answered Jul 16 '14 at 06:58

that guy from over there

3,476
17
26

A fix for preventing attackers performing PHP Object Injections. – DarkMantis Jul 16 '14 at 07:52
1

if (raw) user-input never reaches the unserialize() function you're a lot safer – that guy from over there Jul 16 '14 at 08:12
Sure, I wouldn't do that anyway. I'm just wondering if my assumptions are correct with what I've said about the json_* functions. – DarkMantis Jul 16 '14 at 08:19

Is using JSON really enough to fix PHP object insertion?

3 Answers3