September 21, 2011

ASV Vulnerabilities

When applying for a PCI DSS ASV certificate we came across a service based on the Qcodo

framework with quite an amusing vulnerability in it. The vulnerability is caused by the peculiar behavior of the PHP interpreter that occurs when deserializing inherited objects. All versions of this CMS proved vulnerable.