Drupal is a registered trademark of Dries Buytaert
← All modules

gadget_chain_poc

No security coverage
View on drupal.org

This is a Security testing module intended to help test fixes for Gadget Chains (aka POP Chains) in Drupal applications.

[blink tag] This should never be installed on production. [/blink tag]

Features

The module simply provides a route which will pass a payload to PHP's unserialize().

The payload can be passed as a GET or a POST parameter, with the name payload.

By default, access to the route requires authentication as a user with the "administer site configuration" permission, so it would typically be necessary to include a valid session cookie with the request.

It's possible to bypass this restriction with the following in settings.php:

$settings['gadget_chain_poc_free_access'] = TRUE;

Use this override at your own risk, and with extreme caution.

Additional options

The following optional parameters can be passed along with the payload (the value is ignored).

  • base64 - the payload will go through `base64_decode()` before being passed to unserialize().
  • tostring - the unserialized object will be cast to a string, invoking the relevant __toString() magic method.
  • output - display the result of the call to unserialize(); it will be pretty-printed as HTML by default, but can also be output as json if the GET param _format=json is sent in the request.

Activity

Total releases
1
First release
Jan 2025
Latest release
1 year ago
Release cadence
Stability
0% stable

Releases

Version Type Release date
1.0.x-dev Dev Jan 23, 2025