At yesterday’s RSS09 conference I gave a slightly different version of my “Shocking News in PHP Exploitation” talk. This time I disclosed for the first time how unserializing user input in Zend Framework-based applications can result in direct remote PHP code execution.
The topics of my talk were
- easy ways to bypass ModSecurity and f5 big IP
- executing PHP code on Zend Framework-based applications that unserialize user input
- how to still exploit PHP interruption vulnerabilities after recent fixes in PHP
You can grab my new slides here.