Posted by Chung Leong on 12/29/05 07:12

Unserialize() in some versions of PHP suffers from a buffer overrun
vulnerability. That's one reason.

Another is that it's easy to write type-dependent code that compromises
security. A while back a vulnerability was discovered in a popular
message forum software--phpBB I believe--that allowed an attacker to
gain administrative access by simply tinkering with the serialized data
inside the cookie. Somewhere in the code there was a string comparison
that goes like:

if($user->password == $admin_password) {
}

The comparison would occur as expected if $user->password is a string.
If $user->password is the integer 0, on the other hand, something very
strange and bad happen. The value supplied would match nearly all
possible passwords, because PHP's type conversion rules dictate that in
a comparison between an integer and a string, the string would get
converted to an integer first--with the number 0 being the likeliest
outcome.

[Back to original message]