Product: Slim PHP Framework
Website: http://www.slimframework.com/
Affected versions: 2.5.0 and lower
Fixed in: 2.6.0 (released 2015-03-01)
CVSS Score: I don't care. Does anybody really?

>From their homepage:

"""
Slim has super-secure cryptography using military-grade encryption. Slim
uses your unique key to encrypt session and cookie data before persisting
data to disk.
"""

Wow, sounds great. Let's look under the hood.

https://github.com/slimphp/Slim/issues/1034
https://github.com/slimphp/Slim/issues/1035
https://github.com/slimphp/Slim/issues/1037

So not are they calling unserialize() on user data (hello PHP Object
Injection) in their SessionCookie class, but their "super-secure" crypto
library that uses "military-grade" encryption doesn't authenticate
ciphertexts. Oops.

And even if you were using the develop branch, there were a whole host of
issues with it (h/t Taylor Hornby for his 10 minute audit).

Their readme claims to encrypt cookie data, but this is moot since they're
using AES-CBC without any authentication. You just need 256 (128 on
average) tries per byte to change it to a valid value. Since the client
controls session state, you get unlimited tries.

After a lengthy discussion, I wrote a patch that replaced the serialization
with JSON encoding and closed one hole, but there are undoubtedly plenty
more that remain.

======================================================================
Vulnerable code:

https://github.com/slimphp/Slim/blob/3a2ac723f17b5d81607287ff28575d38b9fbc70e/Slim/Middleware/SessionCookie.php#L127

If you are using the Slim framework, you might not be vulnerable. If you
were using the session cookie feature (which limits the amount of data you
can store in $_SESSION to under 4 KB) on Slim 2.5.0 or older, you are
vulnerable. Upgrade to 2.6.0 immediately.
======================================================================

Speaking from personal experience, PHP developers catch a lot of flak from
the infosec community, and some of us don't really deserve it. It's
actually quite obnoxious.

That said, the owner of the Slim framework is also the author of PHP: The
Right Way. I'm a little disappointed that something so obvious would be
found in one of his projects. (Next thing you know, someone is going to
find a remotely exploitable vulnerability in Symfony, or something!) Silver
lining: he rolled out a new version the same day it was reported.

I only discovered this because someone complained that an Anti-CSRF library
wouldn't work with Slim. I'll leave the thought of "how many people could
have seen this and not reported it so they could silently exploit it for
fun and profit?" to your imagination since I have no data on this.

TL;DR - Slim users should upgrade to 2.6.0 as soon as possible. Developers
should stop using unserialize() on user input, and stop rolling out their
own cryptography libraries. Also, encryption is not authentication. Go play
with the Matasano Crypto Challenges for more on "unauthenticated CBC mode
is not secure".

Thank you and good night.

Scott Arciszewski

P.S. If anyone is interested in learning more about writing secure PHP
code, the http://www.securingphp.com newsletter is great. I highly
recommend it.