Skip Menu |

This queue is for tickets about the Spoon CPAN distribution.

Report information
The Basics
Id: 85217
Status: new
Priority: 0/
Queue: Spoon

People
Owner: Nobody in particular
Requestors: john [...] nixnuts.net
Cc: CARNIL [...] cpan.org
AdminCc:

Bug Information
Severity: Important
Broken in: 0.24
Fixed in: (no value)



Subject: Storable::thaw called on untrusted inputs
Spoon::Cookie in the Spoon CPAN module distribution allow storing data of any type on the client side browser using HTTP cookies. The data is serialized and deserialized using Perl's Storable module without any protections against tampering. This means any application using Spoon::Cookie will run Storable::thaw() on arbitrary untrusted user input. Storable is documented as being unsuitable for these purposes. From the Storable POD: Some features of Storable can lead to security vulnerabilities if you accept Storable documents from untrusted sources. Most obviously, the optional (off by default) CODE reference serialization feature allows transfer of code to the deserializing process. Furthermore, any serialized object will cause Storable to helpfully load the module corresponding to the class of the object in the deserializing module. For manipulated module names, this can load almost arbitrary code. Finally, the deserialized object's destructors will be invoked when the objects get destroyed in the deserializing process. Maliciously crafted Storable documents may put such objects in the value of a hash key that is overridden by another key/value pair in the same hash, thus causing immediate destructor execution.
This bug has been assigned CVE-2012-6143.