Saloon PHP Library AccessTokenAuthenticator Unserialization Vulnerability Leading to Remote Code Execution
Vulnerability
A vulnerability exists in the Saloon PHP library, specifically in versions prior to 4.0.0, within the AccessTokenAuthenticator class. The issue arises from the use of PHP's unserialize() function to restore OAuth token state from cache or storage, with allowed_classes set to true. This allows an attacker to control the serialized string, potentially by overwriting a cached token file or through another injection method, and supply a serialized 'gadget' object. When unserialize() is executed, PHP instantiates the object and triggers its magic methods, such as __wakeup and __destruct, leading to object injection. In environments with common dependencies like Monolog, this vulnerability can be exploited to execute remote code. The issue has been patched in Saloon version 4.0.0, which removes PHP serialization from the AccessTokenAuthenticator class, requiring users to manually store and resolve the authenticator.
Impact
Exploitation of this vulnerability allows for insecure deserialization, leading to object injection and potentially remote code execution, especially in environments with common dependencies like Monolog.
Remediation
Users are advised to upgrade to Saloon version 4.0.0 or later. An upgrade guide is available in the Saloon official documentation.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.