dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,860
- Solutions
- 4
- Reputation
- 27
- Reaction score
- 45,546
- Points
- 1,813
- Credits
- 55,340
7 Years of Service
56%
Unauthenticated RCE in vBulletinPHP 8.1 + Reflection = private method access. Bad combo, big risk.
To understand this class of vulnerability, let’s first take a look at a simplified example that reproduces the core issue: using PHP’s Reflection to dynamically call controller methods, without enforcing visibility restrictions or strict routing.
Here’s a minimal and trivial example of vulnerable app:
PHP:
1<?php
2
3class ApiController
4{
5 /*
6 *
7 * Public methods meant to be exposed...
8 *
9 */
10
11 protected function protectedMethod()
12 {
13 echo "This should be protected!";
14 }
15
16 public function handle($method)
17 {
18 if (!is_callable(array($this, $method)))
19 {
20 die("Not callable!");
21 }
22
23 $refMethod = new ReflectionMethod($this, $method);
24 $refMethod->invoke($this); // No visibility check
25 }
26}
27
28// Simulate a web request
29$api = new ApiController();
30$api->handle($_GET['method']); // Example: /api.php?method=protectedMethodWith this setup, and when the app is running over PHP 8.1+, simply accessing /api.php?method=protectedMethod will invoke a protected method directly — something the original developer likely assumed was inaccessible. While earlier PHP versions would have thrown an exception when trying to invoke a protected / private method without setAccessible(true), starting from PHP 8.1, this behavior has changed (see
This link is hidden for visitors. Please Log in or register now.
Refer:
This link is hidden for visitors. Please Log in or register now.