| Subject: | Storable::thaw called on untrusted inputs |
App::Session::Cookie and App::Session::HTMLHidden in the App::Context CPAN module distribution allow storing data of any type on the client side browser using HTTP cookies and hidden form parameters. The data is serialized and deserialized using Perl's Storable module without any protections against tampering.
This means any application using App::Session::Cookie or App::Session::HTMLHidden will run Storable::thaw() on arbitrary untrusted user input. Storable is documented as being unsuitable for these purposes. From the Storable POD:
Some features of Storable can lead to security vulnerabilities if you accept
Storable documents from untrusted sources. Most obviously, the optional
(off by default) CODE reference serialization feature allows transfer of code
to the deserializing process. Furthermore, any serialized object will cause
Storable to helpfully load the module corresponding to the class of the object
in the deserializing module. For manipulated module names, this can load almost
arbitrary code. Finally, the deserialized object's destructors will be invoked
when the objects get destroyed in the deserializing process. Maliciously
crafted Storable documents may put such objects in the value of a hash key that
is overridden by another key/value pair in the same hash, thus causing
immediate destructor execution.