Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). Varbase Media Header 9.2.1 Minor update available for module varbase_media_header (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

This module provides a testing tool for Gadget Chains in Drupal, allowing developers to send payloads to PHP's `unserialize()` function. It is intended for security testing only and should not be used on production sites.

This is a Security testing module intended to help test fixes for Gadget Chains (aka POP Chains) in Drupal applications.

[blink tag] This should never be installed on production. [/blink tag]

Features

The module simply provides a route which will pass a payload to PHP's unserialize().

The payload can be passed as a GET or a POST parameter, with the name payload.

By default, access to the route requires authentication as a user with the "administer site configuration" permission, so it would typically be necessary to include a valid session cookie with the request.

It's possible to bypass this restriction with the following in settings.php:

$settings['gadget_chain_poc_free_access'] = TRUE;

Use this override at your own risk, and with extreme caution.

Additional options

The following optional parameters can be passed along with the payload (the value is ignored).

  • base64 - the payload will go through `base64_decode()` before being passed to unserialize().
  • tostring - the unserialized object will be cast to a string, invoking the relevant __toString() magic method.
  • output - display the result of the call to unserialize(); it will be pretty-printed as HTML by default, but can also be output as json if the GET param _format=json is sent in the request.

Activity

Total releases
1
First release
Jan 2025
Latest release
1 year ago
Releases (12 mo)
0 ▼ from 1
Maintenance
Dormant

Releases

Version Type Release date
1.0.x-dev Dev Jan 23, 2025