gadget-chain

Research: PHP Object Injection in b1gMail

3 April 2025 - 1:48pm — drew

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in b1gMail.

The maintainer was very responsive to the report and addressed the issue quickly. Thanks!

https://github.com/b1gMail-OSS/b1gMail/releases/tag/7.4.1-pl2

Details of the report:

https://gist.github.com/mcdruid/cb0b848c12fd6a6bc0c1b3357b983d30

Tags:

Read more about Research: PHP Object Injection in b1gMail
Log in to post comments

Research: PHP Object Injection in Pair Framework

20 March 2025 - 8:12am — drew

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the Pair Framework.

The maintainer, Viames, was very responsive to the report and addressed the issue quickly. Thanks!

https://github.com/viames/pair/releases/tag/2.0.0-beta

The fix was also backported to the earlier branch, with release 1.9.12

Details of the report:

Tags:

Read more about Research: PHP Object Injection in Pair Framework
Log in to post comments

Research: Joomla File Write Gadget Chain

21 February 2025 - 3:18pm — drew

As part of my research into Gadget Chains and PHP Object Injection, I discovered a File Write Gadget Chain in Joomla.

I submitted a PR for this to the excellent PHPGGC project - it will hopefully be Joomla/FW1:

https://github.com/ambionics/phpggc/pull/202 (not yet merged)

I reported this to the Joomla Security Team (before submitting the PR), and they responded quickly.

Unlike some projects I've reported Gadget Chains to, they were grateful for the report and put a fix in place fast:

Tags:

Read more about Research: Joomla File Write Gadget Chain
Log in to post comments

Research: PHP Object Injection in MODX Login Extra

21 February 2025 - 11:20am — drew

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the MODX Login Extra project.

The MODX team responded immediately to my report and a fix was released within hours - very impressive!

They published details here:

https://community.modx.com/t/modx-login-extra-php-object-injection-vulne...

This was assessed as:

Tags:

Read more about Research: PHP Object Injection in MODX Login Extra
Log in to post comments

Research: PHP Object Injection in Lightning OpenCart module

26 January 2025 - 12:00am — drew

As part of my research into Gadget Chains and PHP Object Injection, I discovered a vulnerability in the Lightning OpenCart module.

(POP/) Gadget Chains exist in OpenCart (3 and 4) which allow Object Injection vulnerabilities to be exploited, for example to write arbitrary files or achieve Remote Code Execution.

The maintainer was very responsive to the report and addressed the issue quickly. Thanks!

Details: https://gist.github.com/mcdruid/f8153d7d535c0fcba920e83a64953d4e

Tags:

Read more about Research: PHP Object Injection in Lightning OpenCart module
Log in to post comments

Research: PHP Object Injection in Aridius Opencart modules

21 January 2025 - 12:00am — drew

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in multiple OpenCart modules named aridius_XYZ.

It appears that current "official" releases of Aridius modules are not vulnerable. However, it also appears to be common for "unofficial" versions of the extensions to be used.

At the time of discovery, at least one such unofficial version was available for free download from the OpenCart marketplace - this release was vulnerable.

The vulnerability is exploitable remotely without authentication.

Tags: