Adianti Framework Deserialization Vulnerability Allowing PHP Object Injection

A critical deserialization vulnerability has been identified in Adianti Framework versions prior to 8.0. This vulnerability allows for PHP object injection, which can be exploited to delete arbitrary files or potentially execute remote code, depending on the application's specific codebase. The issue arises from the framework's improper handling of untrusted user input, which is passed to PHP's unserialize function without adequate validation. Although most functionalities in Adianti Framework require authentication, this vulnerability can be exploited by users with low-level privileges.

Impact

Exploitation of this vulnerability leads to PHP object injection, allowing attackers to manipulate object serialization in a way that can be exploited, for example, to delete files or execute arbitrary code, depending on the application's context.

Reproduction

To reproduce this vulnerability, first upload a file using the Adianti Framework's file upload feature. After uploading, use a crafted payload that exploits the deserialization vulnerability to delete the uploaded file. This can be done by sending a request to the application's login form with the serialized object payload that targets the file deletion functionality.

Remediation

Users are advised to upgrade to Adianti Framework version 8.1 or later, where this vulnerability has been addressed.