A severe PHP exploit proof-of-concept attack could allow remote code execution attacks on several content management platforms including Typo3 and WordPress.
The vulnerability affects the PHP programming language behind several major CMS companies, was discovered more than a year ago and remains unresolved at the time this story was written.
The flaw was reported back in February 2017 and stems from behaviors of PHP’s built-in “phar://” stream wrapper, which helps it implement complex file handling functionality for various URL-style protocols, Secarma who uncovered the exploit said.
An attacker can exploit the flaw first by placing a valid Phar archive containing the payload object into the victim’s local file system and then triggering a file operation on a “phar://” path that refers to the file.
The vulnerability is enabled through a series of what would have been considered low risk server-side request forgery (SSRF) vulnerabilities which enable attackers to cause denial of service and then access local or remote files and services, by abusing a widely available but rarely used feature in XML parsers
“XXE issues whose maximum impact would previously have been considered file disclosure provided that out-of-band communication was possible must now be considered potential code execution issues, whether out-of-band communication is possible or not,” researchers said in the report.
“Several SSRF issues must now also be considered to expose the possibility of unserialization and therefore code execution. Finally issues which might have been considered to have minimal impact when allow_url_fopen is disabled (such as those presented in the case studies) have now been demonstrated to lead to code execution.”
One of the researchers described the attack as beign a novel technique specific to PHP which could cause unserialization to occur in a variety of exploitation scenarios.