From 3060b81caae4a4c0b3d2d821415d8a9dc02a9ff5 Mon Sep 17 00:00:00 2001 From: Giulio Date: Fri, 29 Nov 2019 11:48:21 +0100 Subject: [PATCH] Wrong unserialize input --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 662db9d..3d9b731 100755 --- a/README.md +++ b/README.md @@ -318,10 +318,10 @@ Since I do not have access to the 8770 files and i can't test the upload code fo * Multiple calls to unserialize on untrusted data: ``` - unserialize(gzuncompress($MyG["themes"])); + unserialize(gzuncompress($_COOKIE["themes"])); unserialize(gzuncompress($_COOKIE["station"])); unserialize(gzuncompress($_COOKIE["cfilter"])); - unserialize(gzuncompress($MyG["bookmarks"])); + unserialize(gzuncompress($_COOKIE["bookmarks"])); ``` I did not find an exploitable chain but: all the PHP version shipped with this product have multiple unserialize CVE and I did not find a way but it is possible to play with the COM class.