Posted by Scott Arciszewski on Apr 20

Hi FD Readers,

If you’re using cookie-based session storage with any version of the
Laravel Framework since 4.1 (inclusive), and you turned encryption off (I
can’t imagine why anyone would do that, but I’ve seen some weird setups),
you are vulnerable to PHP Object Injection.

The story begins here:
https://github.com/laravel/framework/blob/253d63a550b4508e56ec0f7536e5e4f302661148/src/Illuminate/Session/SessionManager.php#L34

No…