
When applying for a PCI DSS ASV certificate we came across a service based on the Qcodo
framework with quite an amusing vulnerability in it. The vulnerability is caused by the peculiar behavior of the PHP interpreter that occurs when deserializing inherited objects. All versions of this CMS proved vulnerable.