CakePHP 1.3.5 / 1.2.8 unserialize() vulnerability
Description
CakePHP is a rapid development framework for PHP that follows the Model-View-Controller (MVC) architecture pattern. Versions 1.3.5 and earlier (1.x branch) and 1.2.8 and earlier (1.2.x branch) contain an insecure deserialization vulnerability due to the use of PHP's unserialize() function on untrusted user input without proper validation. This allows attackers to inject arbitrary PHP objects into the application's execution context, potentially leading to remote code execution.
Remediation
Immediately upgrade CakePHP to a patched version that addresses CVE-2010-4335. For the 1.2.x branch, upgrade to version 1.2.9 or later. For the 1.3.x branch, upgrade to version 1.3.6 or later. If immediate upgrading is not possible, implement the following temporary mitigations:
1. Review all code that uses unserialize() and ensure it never processes untrusted user input
2. Implement input validation and sanitization before any deserialization operations
3. Consider using safer alternatives like json_decode() for data serialization
4. Apply web application firewall (WAF) rules to detect and block serialized object injection attempts
After upgrading, verify the fix by testing that user-controlled input cannot be deserialized without proper validation.