Skip to content

hardening(mikrotik_users): restrict unserialize() to scalar types to prevent object injection #87

Description

@somethingwithproof

Summary

mikrotik_users.php:63 calls unserialize() on a POST parameter without the ['allowed_classes' => false] option. Any authenticated Cacti user can POST a crafted serialised payload that instantiates arbitrary PHP objects, enabling property-oriented programming (POP) gadget chain execution if suitable classes exist in the autoloader.

The form at line 157 emits the serialised value without a CSRF token, widening the attack surface to cross-site POST from any page the victim visits.

Details

Field Value
File mikrotik_users.php
Line 63
Auth required Yes — authenticated Cacti user
CWE CWE-502
// Before
$selected_items = unserialize(stripslashes(get_request_var('selected_items')));

// After
$selected_items = unserialize(stripslashes(get_request_var('selected_items')), ['allowed_classes' => false]);
if (!is_array($selected_items)) {
    $selected_items = [];
}

Fix applied in branch security/1-restrict-unserialize-allowed-classes.

Acceptance criteria

  • ['allowed_classes' => false] passed to all unserialize() calls on request data
  • Non-array result coerced to empty array before downstream loop
  • Regression test in tests/Security/ObjectInjectionTest.php

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions