PHP Phar Remote Code Execution Vulnerability

A security researcher has found a new technique that exploits the PHP unserialize> method using phar archives to achieve remote code execution.

Threat ID:: CC-2623
Category:
Threat Severity:: Low
Threat Vector:
Published:: 22 August 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A security researcher has found a new technique that exploits the PHP unserialize> method using phar archives to achieve remote code execution.

Threat details

PHP has the capability to serialize values including objects, generating a text representation that does not lose the value's type or structure. The unserialize method converts such a string of text back into a PHP value. Untrusted strings must not be passed to unserialize because it can load and execute object code automatically.

When a PHP application uses the phar:// stream wrapper to access phar archives, any metadata in the archive is immediately unserialised. This enables an attacker to execute code if they can place a valid phar archive onto a target system and trigger a file operation on it using a phar:// path.

Methods have been discovered to exploit this vulnerability in a variety of PHP web applications, including content management systems such as WordPress and Typo3. So far, these have required the attacker to be authenticated on the targeted system.

Remediation steps

Type	Step
	Ensure that antivirus and other security products are kept up to date, along with PHP and PHP applications, to maximise the probability of detecting malicious phar archives. When developing PHP applications, ensure that attacker-controlled data is not used in the beginning of file names when stream wrappers may be triggered.

Last edited: 17 February 2020 12:52 pm