MixPHP Framework Unsafe Deserialization Vulnerability in Session and Cache Handlers Allowing Remote Code Execution

A vulnerability allowing remote code execution through unsafe deserialization has been identified in MixPHP Framework versions 2.x prior to 2.2.17. The issue arises in the RedisHandler object, where session and cache handlers use the unserialize() function on data from Redis, without any validation or integrity checks. This vulnerability can be exploited by compromising the data store and injecting malicious payloads that are executed on the application server.

Impact

Exploitation of this vulnerability leads to remote code execution on the application server.

Reproduction

The vulnerability can be reproduced by injecting serialized objects into the Redis or Memcached data stores that, when unserialized by the application, execute arbitrary code. This can be done by exploiting another weakness to write to the data store, or by compromising a server that communicates with a client that deserializes data from the server.

Remediation

To address this vulnerability, it is recommended to use an allowlist with the unserialize() function to prevent the deserialization of untrusted data. Alternatively, replace unserialize() with JSON serialization when object types are not necessary.