Quite a few languages, stacks, libraries, etc. have been hit by deserialisation attacks as of late including libraries for C# and Java, Drupal, vBulletin 5, etc.
The ones for C# and Java relied on insecure mappings of JSON documents to objects, while the others relied on the infamous PHP function unserialize() which many use as a legacy internal substitute for JSON due to it being bundled natively with PHP.
Knowledge of unserialize() has been known for quite a number of years, and yet, remote code execution after remote code execution vulnerabilities are found in Drupal fairly frequency. And there are many systems which use unserialize, but which haven't been found vulnerable... yet.
For those who don't know, remote code execution (also known as arbitrary code execution) is the highest class of security vulnerability. With it. You can do anything the app process can do.
If you're root, you can even dump /etc/passwd and install rootkits, and if you're limited, then you can still steal the database, login as the administrator, hide a virus after the admin thinks they've "cleaned the site" or stealthily host a phishing page or skim people's credit card details.
It's imperative that systems transition to JSON or a safer alternative as soon as possible as unserialize is fundamentally broken with no intention for fixes, as it was never intended to be exposed to user provided content.
JSON also has the benefit of being natively supported by databases, so you can run queries based on the structure of the JSON data.
The ones for C# and Java relied on insecure mappings of JSON documents to objects, while the others relied on the infamous PHP function unserialize() which many use as a legacy internal substitute for JSON due to it being bundled natively with PHP.
Knowledge of unserialize() has been known for quite a number of years, and yet, remote code execution after remote code execution vulnerabilities are found in Drupal fairly frequency. And there are many systems which use unserialize, but which haven't been found vulnerable... yet.
For those who don't know, remote code execution (also known as arbitrary code execution) is the highest class of security vulnerability. With it. You can do anything the app process can do.
If you're root, you can even dump /etc/passwd and install rootkits, and if you're limited, then you can still steal the database, login as the administrator, hide a virus after the admin thinks they've "cleaned the site" or stealthily host a phishing page or skim people's credit card details.
It's imperative that systems transition to JSON or a safer alternative as soon as possible as unserialize is fundamentally broken with no intention for fixes, as it was never intended to be exposed to user provided content.
JSON also has the benefit of being natively supported by databases, so you can run queries based on the structure of the JSON data.
