Type Juggling -> PHP Object Injection -> SQL Injection Chain
E
ExpressionEngine
Submitted None
Team Summary
Official summary from ExpressionEngine
Justin Kennedy identified a Type Juggling vulnerability in ExpressionEngine that allowed access to unserialize using user supplied data, ultimately achieving SQL Injection. The full details of this vulnerability can be found here: https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
Actions:
Reported by
jstnkndy
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cryptographic Issues - Generic