| Title | phpwcms 1.10.8 phar/php filter vulnerability |
|---|
| Description | The phpwcms Content Management System is vulnerable to PHP Object Injection in the article content type 21 (Custom Source Tab) through deserialization of untrusted input. An attacker can provide a malicious PHAR URL via the 'cpage_custom' parameter in the content editing form, which is passed directly to the file_get_contents() function without proper validation. This vulnerability allows attackers to inject PHP Objects through a PHAR file or utilize various PHP stream wrappers for side-channel attacks. No known POP (Property Oriented Programming) chain has been identified in the core application, meaning this vulnerability may have limited impact unless other components with suitable gadgets are installed. If a POP chain exists through additional components, attackers could potentially delete files, access sensitive information, or execute arbitrary code depending on the available gadgets. This vulnerability can be exploited by attackers with access to the phpwcms admin interface. The attack requires a valid CSRF token to be included in the request. |
|---|
| Source | ⚠️ https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md |
|---|
| User | Dem0 (UID 82596) |
|---|
| Submission | 05/15/2025 13:25 (11 months ago) |
|---|
| Moderation | 06/03/2025 07:14 (19 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 310913 [slackero phpwcms up to 1.9.45/1.10.8 Custom Source Tab cnt21.readform.inc.php file_get_contents/is_file cpage_custom deserialization] |
|---|
| Points | 20 |
|---|