PHP Code Execution Attack

A new exploitation technique has been discovered that allow attackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions.

The new technique leaves web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3.

PHP unserialization was first discovered in 2009 which allows attackers to perform various attacks by supplying malicious input to the PHP unserialize() function.

“Serialization is the process of converting data objects into a plain string, and unserialize function help program recreate an object back from a string”[1]


[1] https://en.wikipedia.org/wiki/Serialization


Exploitation Process

For successful exploitation attacker needs to:

  • Upload a valid Phar archive containing the malicious payload object onto the target's local file system
  • Trigger the file operation function access it using the "phar://" stream wrapper


Alternatively, an attacker can also exploit this vulnerability using a JPEG image that is an origin Phar archive, converted into a valid JPEG by modifying its first 100 bytes. Once the crafted image is uploaded on the targeted WordPress server, the attacker can use another function to call the same image file, as a Phar archive using the "phar://" stream wrapper.  This will eventually execute the arbitrary code when the program deserializes the metadata.[1]  These details can be found in the research paper https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf?

Prevention and Mitigation Strategies

The vulnerability still exists in Typo3 and patches have been released in 7.6.30, 8.7.17 and 9.3.  It was also reported to WordPress security team earlier last year, and the company acknowledged the issue.  However, the patch released by the company did not address the problem completely.  Our members are advised to utilize the latest patches now or as soon as they are available.


[1] 2 https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance