You are here

Home

gadget-chain

Research: Pair Framework PHP Object Injection

20 March 2025 - 8:12am — drew

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the Pair Framework.

The maintainer, Viames, was very responsive to the report and addressed the issue quickly. Thanks!

https://github.com/viames/pair/releases/tag/2.0.0-beta

The fix was also backported to the earlier branch, with release 1.9.12

Details of the report:

Tags: 
gadget-chain
security
php-object-injection
cve
security-research

Research: Joomla File Write Gadget Chain

21 February 2025 - 3:18pm — drew

As part of my research into Gadget Chains and PHP Object Injection, I discovered a File Write Gadget Chain in Joomla.

I submitted a PR for this to the excellent PHPGGC project - it will hopefully be Joomla/FW1:

https://github.com/ambionics/phpggc/pull/202 (not yet merged)

I reported this to the Joomla Security Team (before submitting the PR), and they responded quickly.

Unlike some projects I've reported Gadget Chains to, they were grateful for the report and put a fix in place fast:

Tags: 
security-research
gadget-chain
php-object-injection
security

Research: PHP Object Injection in MODX Login Extra

21 February 2025 - 11:20am — drew

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the MODX Login Extra project.

The MODX team responded immediately to my report and a fix was released within hours - very impressive!

They published details here:

https://community.modx.com/t/modx-login-extra-php-object-injection-vulne...

This was assessed as:

Tags: 
security-research
cve
php-object-injection
security
gadget-chain

Pages

Subscribe to RSS - gadget-chain
Powered by Drupal