Serialized PHP object in HTTP header


Description   PHP object injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as code injection, SQL injection, path traversal or denial of service, depending of the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.
     
Default
configuration 		 
Profiles High Medium Low Internet
Action Block Block Pass Block
Alarm Level Minor Minor Minor Minor
     
References   URL: https://www.owasp.org/index.php/PHP_Object_Injection
URL: http://www.phpinternalsbook.com/classes_objects/serialization.html
URL: https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf
URL: https://websec.files.wordpress.com/2010/11/rips_ccs.pdf
URL: https://www.insomniasec.com/downloads/publications/Practical%20PHP%20Object%20Injection.pdf
     
Available since   ASQ v5.0.0
     
Protects   WordPress Third-Party Plugins Multiple Vulnerabilities
WordPress Third-Party Modules Multiple Vulnerabilities
WordPress Third-Party Plugins Multiple Vulnerabilities
WordPress Third Party Modules Multiple Vulnerabilities
Wordpress Multiple Third Party Plugins Multiple Vulnerabilities
Wordpress Multiple Third Party Plugins Multiple Vulnerabilities
100 last CVE   CVE-2016-1000155
CVE-2016-1000154
CVE-2016-1000153
CVE-2016-1000152
CVE-2016-1000151
CVE-2016-1000150
CVE-2016-1000149
CVE-2016-1000148
CVE-2016-1000147
CVE-2016-1000146
CVE-2016-1000145
CVE-2016-1000144
CVE-2016-1000143
CVE-2016-1000142
CVE-2016-1000141
CVE-2016-1000140
CVE-2016-1000138
CVE-2016-1000137
CVE-2016-1000136
CVE-2016-1000135
CVE-2016-1000134
CVE-2016-1000133
CVE-2016-1000132
CVE-2016-1000131
CVE-2016-1000130
CVE-2016-1000128
CVE-2016-1000127
CVE-2016-1000126
CVE-2016-0770
CVE-2016-0769
CVE-2016-0765
CVE-2014-9309



 
 
 
 
 Risk level 
Moderate