mcdruid.co.uk { web: development; }

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the Pair Framework.

The maintainer, Viames, was very responsive to the report and addressed the issue quickly. Thanks!

https://github.com/viames/pair/releases/tag/2.0.0-beta

The fix was also backported to the earlier branch, with release 1.9.12

Details of the report:

As part of my research into Gadget Chains and PHP Object Injection, I discovered an unsafe deserialisation vulnerability in The Marketer OpenCart module.

There are Gadget Chains available in Opencart - including a few that I found and submitted to the PHPGGC project:

https://github.com/ambionics/phpggc/pull/199 (not yet merged).

The vulnerability in The Marketer module, combined with these Gadget Chains, allows remote unauthenticated RCE so it got a very high CVSS score.

As part of my research into Gadget Chains and PHP Object Injection, I discovered an unsafe deserialisation vulnerability in the openmass project.

The maintainers responded quickly to the report, and put a fix in place the same day:

https://github.com/massgov/openmass/commit/1966c48ecee26e1c10479af00aa0f...

The vulnerability was never exposed on the public facing website.

As part of my research into Gadget Chains and PHP Object Injection, I discovered a File Write Gadget Chain in Joomla.

I submitted a PR for this to the excellent PHPGGC project - it will hopefully be Joomla/FW1:

https://github.com/ambionics/phpggc/pull/202 (not yet merged)

I reported this to the Joomla Security Team (before submitting the PR), and they responded quickly.

Unlike some projects I've reported Gadget Chains to, they were grateful for the report and put a fix in place fast:

As part of my research into Gadget Chains and PHP Object Injection, I discovered exploitable vulnerabilities in three different XOOPS modules.

The XOOPS team responded quickly to my report, and fixes were released not long after. They were very good to work with.

They published details here:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=79555

The specific fixes were:

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the MODX Login Extra project.

The MODX team responded immediately to my report and a fix was released within hours - very impressive!

They published details here:

https://community.modx.com/t/modx-login-extra-php-object-injection-vulne...

This was assessed as:

It's possible to use the metasploit console and meterpreter as a powerful Command and Control (C2) system using sessions and channels; here's how.

One-liner to start up a multi-handler in the metasploit console listening on a given port for incoming connections from a (staged) metasploit payload:

Something is overriding config in Drupal - you can see it by invoking drush with and without the flag to include overrides:

$ drush cget system.performance | grep -B1 preprocess
css:
  preprocess: false
--
js:
  preprocess: false

$ drush cget --include-overridden system.performance | grep -B1 preprocess
css:
  preprocess: true
--
js:
  preprocess: true

Perhaps we want to turn this config off, but these overrides won't let us.

Where are these config overrides coming from?

PHP's create_function() was:

DEPRECATED as of PHP 7.2.0, and REMOVED as of PHP 8.0.0

As the docs say, its use is highly discouraged.

PHP 7 is no longer supported by the upstream developers, but it'll still be around for a while longer (because, for example, popular linux distributions provide support for years beyond the upstream End of Life).

A few years ago I found quite an interesting vulnerability in a contributed Drupal module called tablefield.

The module allows Drupal entities to hold tabular data, and the vulnerability was a combination of Insecure Deserialisation and a type of Insecure Direct Object Reference (IDOR).

The fix was released over 4 years ago so sufficient time has passed for me to share some more details.

The module has a hook_menu page callback (Drupal 7's equivalent of a route) that looks like this: