[Bug 310845] [NEW] php5 serialize() function corrupt strings

sir_gon gnzsquall at gmail.com
Tue Dec 23 09:11:04 GMT 2008


*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: libapache2-mod-php5

Package: PHP5: Version: 5.2.6-2ubuntu4
Ubuntu: 8.10 Intrepid Ibex

If a common object with protected or private properties is serialized, the returned string includes invalid characters.
This problem could affect the any php webservices on a Ubuntu based server.

Example script serializeTest.php:

/////////////////////////////
<?php
class Something
{
  public $a = '123';
  protected $b = 'abc';
  private $c = 'xyz';
}

$data = new Something();
var_dump( $data ); // <= OK
var_dump( serialize($data) ); // <= Show invalid characters
/////////////////////////////

If I running the same script in php5-cgi, the problem does not happen.
Also I tried in hosting with php 5.2.6, and it does not happen the problems either.

** Affects: php5 (Ubuntu)
     Importance: Undecided
         Status: New

** Visibility changed to: Public

-- 
php5 serialize() function corrupt strings
https://bugs.launchpad.net/bugs/310845
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.



More information about the Ubuntu-server-bugs mailing list