MixPHP Framework Unsafe Deserialization Vulnerability Allowing Remote Code Execution
Vulnerability
A vulnerability allowing remote code execution through unsafe deserialization has been identified in MixPHP Framework versions 2.x prior to 2.2.17. The issue arises because the session and cache handlers in the FileHandler object use 'unserialize()' on data from the filesystem without any validation, allowing attacker-controlled data to be executed as code.
Impact
Exploitation of this vulnerability leads to remote code execution on the application server.
Reproduction
The vulnerability can be reproduced by injecting serialized objects into the session or cache data stores, such as Redis or Memcached. Once the data is injected, the application will unserialize the data without any integrity checks, executing any embedded PHP code.
Remediation
To address this vulnerability, update the 'unserialize()' calls to include an allowlist as the second argument, or replace 'unserialize()' with JSON serialization where object types are not necessary.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.