| Title | phpwcms 1.10.8 phar/php filter vulnerability |
|---|
| Description | The phpwcms Content Management System is vulnerable to PHP Object Injection and Local File Disclosure through the image_resized.php script. The vulnerability exists because user input from the 'imgfile' GET parameter is passed to the PHP getimagesize() function without proper validation. While the script attempts to sanitize the input by removing 'http://' and 'https://' prefixes, it fails to handle other protocols like 'phar://' or PHP filter wrappers, allowing attackers to bypass this protection.
This vulnerability allows an attacker to:
1. Trigger PHP Object Injection through PHAR deserialization (only when a POP chain exists in the application)
2. Read local files through PHP filter chains using error-based oracle techniques, as described in [PHP filter chains for file read from error-based oracle](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle)
The vulnerability is particularly dangerous because it's exposed without authentication requirements, making it accessible to unauthenticated attackers. |
|---|
| Source | ⚠️ https://github.com/3em0/cve_repo/blob/main/phpwcms/image_resized%23getimagesize.md |
|---|
| User | Dem0 (UID 82596) |
|---|
| Submission | 05/15/2025 14:33 (11 months ago) |
|---|
| Moderation | 06/03/2025 07:15 (19 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 310914 [slackero phpwcms up to 1.9.45/1.10.8 image_resized.php is_file/getimagesize imgfile deserialization] |
|---|
| Points | 20 |
|---|