About this advisory
As reported in issue #464, In our sample code for the oAuth implementation of our PHP client (zendesk_api_client_php/samples/auth/oauth.php
), we have demonstrated an unsafe use of the unserialize
function, which if used could lead to deserialzation attacks.
Impact
This unsafe function is not actively used in the library and does not expose users to any risk. However, we acknowledge that demonstrating the use of this function could result in developers re-using this in their code.
Fix
We have removed the code sample from this repository, to prevent accidental reuse of the code.
Next steps
If you are using the oAuth features of this library, we recommend you confirm you are not using the unserialize
function on user supplied input as per the recommendation from PHP.
References
OWASP guide to PHP object injection
PHP documentation for the unserialize function
For more information
If you have any questions or comments about this advisory, email us at Zendesk Security
We also invite security researchers to report issues to us using our Bug Bounty program, where we reward them for helping make our product safer.
About this advisory
As reported in issue #464, In our sample code for the oAuth implementation of our PHP client (
zendesk_api_client_php/samples/auth/oauth.php
), we have demonstrated an unsafe use of theunserialize
function, which if used could lead to deserialzation attacks.Impact
This unsafe function is not actively used in the library and does not expose users to any risk. However, we acknowledge that demonstrating the use of this function could result in developers re-using this in their code.
Fix
We have removed the code sample from this repository, to prevent accidental reuse of the code.
Next steps
If you are using the oAuth features of this library, we recommend you confirm you are not using the
unserialize
function on user supplied input as per the recommendation from PHP.References
OWASP guide to PHP object injection
PHP documentation for the unserialize function
For more information
If you have any questions or comments about this advisory, email us at Zendesk Security
We also invite security researchers to report issues to us using our Bug Bounty program, where we reward them for helping make our product safer.