PHP object deserialization of user-supplied data
Description
The application uses PHP's unserialize() function to deserialize user-supplied data. This practice is inherently dangerous because attackers can craft malicious serialized objects that, when deserialized, can trigger unintended code execution or manipulate application logic. PHP object deserialization vulnerabilities occur when untrusted input is passed directly to unserialize() without proper validation, allowing attackers to instantiate arbitrary objects and potentially invoke magic methods (__wakeup, __destruct, etc.) with attacker-controlled properties.
Remediation
Immediately stop using unserialize() on user-supplied data. Implement the following remediation steps:<br/><br/><strong>1. Replace unserialize() with safe alternatives:</strong><br/>Use JSON for data serialization, which only handles primitive data types and cannot instantiate objects:<br/><pre>// UNSAFE - Do not use $data = unserialize($_POST['user_data']); // SAFE - Use JSON instead $data = json_decode($_POST['user_data'], true);</pre><br/><strong>2. If you must deserialize PHP objects:</strong><br/>Use the allowed_classes option to strictly limit which classes can be instantiated (PHP 7.0+):<br/><pre>// Only allow specific, safe classes $data = unserialize($input, ['allowed_classes' => ['SafeClass1', 'SafeClass2']]); // Or prevent all object instantiation $data = unserialize($input, ['allowed_classes' => false]);</pre><br/><strong>3. Implement input validation:</strong><br/>Verify the structure and content of serialized data before deserialization, though this alone is insufficient protection.<br/><br/><strong>4. Use cryptographic signatures:</strong><br/>If serialized PHP objects are necessary, sign the data with HMAC to ensure it hasn't been tampered with:<br/><pre>// Serializing with signature $data = serialize($object); $signature = hash_hmac('sha256', $data, $secret_key); $package = $signature . ':' . $data; // Deserializing with verification list($signature, $data) = explode(':', $package, 2); $expected = hash_hmac('sha256', $data, $secret_key); if (hash_equals($expected, $signature)) { $object = unserialize($data, ['allowed_classes' => ['SafeClass']]); }</pre><br/><strong>5. Review and audit:</strong><br/>Examine all uses of unserialize() in your codebase and assess whether object serialization is truly necessary for each use case.