CWebUser lines 460-462:
if($cookie && !empty($cookie->value) && is_string($cookie->value) && ($data=$app->getSecurityManager()->validateData($cookie->value))!==false)
{
$data=@unserialize($data);
If a user can authenticate with cookie based authentification, he gains neccessary information to brute force the secret key used by CSecurityManager. Application security is dependant on an algorithm - because anyone with this key could possibly create a cookie with any data, which is directly passed to unserialize, i.e. arbitrary code execution. So my question is - how safe is this private key? Do we have a guarantee that it won’t be brute forced by our users?
Any thoughts appreciated.
P.S. Not sure if this is the correct place to post this 