Despite the availability of many CMS options such as Drupal, Joomla, Magento, etc most bloggers, and even entrepreneurs prefer creating their sites using WordPress. However researchers have highlighted a dangerous PHP flaw affecting sites for over a year.
Critical PHP Flaw Threatening WordPress Websites
Researchers at Secarma have pointed out that a vulnerability remains unpatched even after a year of discovery and report. While speaking at the BSides Conference and the Black Hat USA 2018 events, speaker Sam Thomas, highlighted a critical PHP flaw threatening WordPress sites leading to full system compromise.
The researchers have published a detailed white paper about their findings. According to them, this PHP vulnerability lies in the process of serialization and deserialization of data by PHP. The usual process of converting the PHP raw data into strings and then back into PHP objects may be exploited by malefactors to upload malicious data to the servers.
The process involves exploiting the “phar://” stream wrapper that permits accessing of data in local archives. Consequently, the unserialization of a malicious file operation can allow complete access to the attacker. As stated in the researchers’ white paper,
“To get to the crux of the issue at hand, Phar archives can also contain meta-data,”
where Metadata can be a serializable PHP object.
“This meta-data is unserialized when a Phar archive is first accessed by any(!) file operation. This opens the door to unserialization attacks whenever a file operation occurs on a path whose beginning is controlled by an attacker. This is true for both direct file operations (such as “file_exists”) and indirect operations such as those that occur during external entity processing within XML.”
Exploiting The PHP Unserialization Vulnerability
As explained by the researchers, the exploitation of “phar://” PHP stream wrapper takes place in two steps. In the first step, the attacker can upload a malicious Phar archive onto the local file system of the target. Then, the next step includes triggering the file operation on the corresponding “phar:/” path.
According to their findings, the trouble lies within the second step. Here, a plethora of vulnerabilities may play role to trigger the file operation. Basically, the unserialization process involves XML External Entity processing (XXE) and Server Side Request Forgery (SSRF) vulnerabilities that trigger Remote Code Execution (RCE) attacks.
Attackers have provided various case studies to illustrate the exploitation of PHP unserialization to take over the CMS. The prime victims of this bug include WordPress, Typo3, and TCPDF (PDF generation library).
The first reports of this vulnerability date back to February 28, 2017, when researchers noted the PHP flaw threatening WordPress sites. For Typo3 and TCPDF, the case studies were reported on June 9, 2018, and May 24, 2018, respectively.