MiczFlor RPi-Jukebox-RFID Insecure Deserialization Vulnerability in rss-mp3.php

A vulnerability allowing insecure deserialization has been identified in the MiczFlor RPi-Jukebox-RFID project, specifically in the rss-mp3.php script, all versions prior to commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014. The vulnerability arises because the 'rss' GET parameter is accepted without proper validation and is directly passed to the unserialize() function. This flaw enables remote, unauthenticated attackers to inject arbitrary PHP objects, which the application processes, potentially leading to errors or a denial-of-service condition.

Impact

Exploitation of this vulnerability allows for PHP object injection, which could be leveraged to execute arbitrary code, depending on the injected object's class and the application's context.

Reproduction

To reproduce this vulnerability, send a GET request to the rss-mp3.php script with a URL-encoded serialized object as the 'rss' parameter. The application will unserialize the object without validation, allowing for arbitrary PHP objects to be injected. Accessing the URL will trigger warnings indicating that the injected object was used in file operations, confirming the successful exploitation of the vulnerability.