Maybe when Zend_Log is serialized/unserialized, it should clear all writers, similar to how unserializing a Zend_Db_Row instance results in a "disconnected" row. But I'm not sure how to "reconnect" the writers in the event that a developer wants to legitimately unserialize a logger (perhaps for caching purposes).
If there was a reloadWriters() method that needed to be called in order to unserialize the writers, would that help? -- Hector On Fri, Feb 19, 2010 at 7:19 AM, Nick Pack <n...@nickpack.com> wrote: > Hi All, > > Wondering if anyone has seen this (I know the article itself is related to > PHPIDS, but includes ZF): > https://www.sektioneins.de/en/advisories/advisory-022009-phpids-unserialize-vulnerability/index.html > > It highlights some possible exploitable flaws in Zend_Log and > Zend_Log_Writer_Mail – do these need looking at? >