| عنوان | phpwcms 1.10.8 phar/php filter vulnerability |
|---|
| الوصف | The phpwcms Content Management System is vulnerable to PHP Object Injection and Local File Disclosure through the image_resized.php script. The vulnerability exists because user input from the 'imgfile' GET parameter is passed to the PHP is_file() function without proper validation. While the script attempts to sanitize the input by removing 'http://' and 'https://' prefixes, it fails to handle other protocols like 'phar://' or PHP filter wrappers, allowing attackers to bypass this protection.
This vulnerability allows an attacker to:
1. Trigger PHP Object Injection through PHAR deserialization (only when a POP chain exists in the application)
2. Read local files through PHP filter chains using error-based oracle techniques, as described in [PHP filter chains for file read from error-based oracle](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle)
The vulnerability is particularly dangerous because it's exposed without authentication requirements, making it accessible to unauthenticated attackers. When the is_file() function is called with a URL using the phar:// wrapper, PHP automatically deserializes the metadata of the PHAR archive, which can lead to object injection if the application contains suitable POP chains.
```text
GET /image_resized.php?format=jpg&w=100&h=200&q=85&imgfile=phar://path/to/exploit.phar HTTP/1.1
Host: dem0.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: */*
```
Example of vulnerable code:
```php
$img_file = (isset($_GET['imgfile'])) ? trim($_GET['imgfile']) : 'img/leer.gif';
$img_file = str_replace(array('http://', 'https://'), '', $img_file);
// [...]
if(is_file($img_file) && $img_info = getimagesize($img_file)) {
``` |
|---|
| المصدر | ⚠️ https://github.com/3em0/cve_repo/blob/main/phpwcms/image_resized%23is_file.md |
|---|
| المستخدم | Dem0 (UID 82596) |
|---|
| ارسال | 15/05/2025 02:34 PM (12 أشهر منذ) |
|---|
| الاعتدال | 03/06/2025 07:15 AM (19 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 310914 [slackero phpwcms حتى 1.9.45/1.10.8 image_resized.php is_file/getimagesize imgfile تجاوز الصلاحيات] |
|---|
| النقاط | 0 |
|---|