Submit #578083: phpwcms 1.10.8 phar/php filter vulnerabilityinfo

Titelphpwcms 1.10.8 phar/php filter vulnerability
BeschreibungThe phpwcms Content Management System is vulnerable to PHP Object Injection and Local File Disclosure through the image_resized.php script. The vulnerability exists because user input from the 'imgfile' GET parameter is passed to the PHP is_file() function without proper validation. While the script attempts to sanitize the input by removing 'http://' and 'https://' prefixes, it fails to handle other protocols like 'phar://' or PHP filter wrappers, allowing attackers to bypass this protection. This vulnerability allows an attacker to: 1. Trigger PHP Object Injection through PHAR deserialization (only when a POP chain exists in the application) 2. Read local files through PHP filter chains using error-based oracle techniques, as described in [PHP filter chains for file read from error-based oracle](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) The vulnerability is particularly dangerous because it's exposed without authentication requirements, making it accessible to unauthenticated attackers. When the is_file() function is called with a URL using the phar:// wrapper, PHP automatically deserializes the metadata of the PHAR archive, which can lead to object injection if the application contains suitable POP chains. ```text GET /image_resized.php?format=jpg&w=100&h=200&q=85&imgfile=phar://path/to/exploit.phar HTTP/1.1 Host: dem0.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Accept: */* ``` ![alt text](../dists/phpwcms2.png) Example of vulnerable code: ```php $img_file = (isset($_GET['imgfile'])) ? trim($_GET['imgfile']) : 'img/leer.gif'; $img_file = str_replace(array('http://', 'https://'), '', $img_file); // [...] if(is_file($img_file) && $img_info = getimagesize($img_file)) { ```
Quelle⚠️ https://github.com/3em0/cve_repo/blob/main/phpwcms/image_resized%23is_file.md
Benutzer
 Dem0 (UID 82596)
Einreichung15.05.2025 14:34 (vor 11 Monaten)
Moderieren03.06.2025 07:15 (19 days later)
StatusDuplikat
VulDB Eintrag310914 [slackero phpwcms bis 1.9.45/1.10.8 image_resized.php is_file/getimagesize imgfile erweiterte Rechte]
Punkte0

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!