Critical PHPFox RCE Vulnerability Risked Social Networks

Heads up, phpFox users! A critical remote code execution vulnerability existed in the phpFox service that allowed community takeovers. Following the bug report, phpFox patched the flaw with the latest service version to which, the researcher urges to update.

Remote Code Execution Vulnerability Riddled phpFox

Security researcher Egidio Romano discovered a critical security flaw in phpFox that threatened numerous social networks.

phpFox is a dedicated community-building platform facilitating users in creating interactive social networks. The service offers numerous free and paid features that let the users engage with their communities, alongside providing monetization options to the users.

According to the vulnerability description shared in the post from Karma(in)Security, exploiting the vulnerability could let an unauthenticated attacker inject PHP objects to the target application. This, in turn, could let the adversary compromise the targeted social network and the underlying system.

User input passed through the “url” request parameter to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code.

The vulnerability received the CVE ID CVE-2023-46817 and a critical severity rating.

Bug Fixed (Reluctantly!)

Following this discovery, Romano reported the vulnerability to the vendors. However, the vendors didn’t seem to realize the gravity of the matter. At first, they simply tried to brush off the matter by stating, “We currently do not have such security requirements,” later assuring a fix released with an earlier version not actually patched (4.8.13).

Commenting about this interaction, Romano shared his thoughts with LHN,

Specifically, with regards to this phpFox case, even though they say they don’t have specific security requirements, I would suggest them to be more kind with and trust security researchers who report them security issues in their products, without questioning the real existence of such security vulnerabilities and their impact, like they did with regards to CVE-2023-46817.

The researcher, as evident through the timeline shared, had to urge the vendors to deem the vulnerability important.

Eventually, the vendors patched the vulnerability with phpFox version 4.8.14, albeit without disclosing the specific security fix(es) in the release update.

According to Romano, this sort of response from a vendor like phpFox is disappointing, showing how the vendors try to deceive customers with a false sense of security.

Unfortunately, sometimes software vendors – like phpFox – are willing to hide and/or underestimate security bugs reported in their products, probably following a principle called Security Through Obscurity (STO)… I truly believe this principle is terribly wrong, giving to the software users a false sense of security, while there is no software bugs-free!

The researcher urged all phpFox users to update to the latest phpFox release (version 4.8.14 or later) to receive the security fix.

The following quote is from Darren Humphries, CISO at Acora 

The frequency of our cybersecurity risk assessments and vulnerability testing is ingrained in our operational rhythm – a monthly cadence that reflects our proactive approach to security. Our process revolves around a ‘Three pairs of eyes Governance,’ which ensures a robust model encompassing individual ownership, validation through review, and final evaluation by an auditors. This structured approach ensures the accountablity, reliability and accuracy of our risk approach.

 

Monthly vulnerability management serves as a dynamic shield against emerging threats. However, we refrain from adhering strictly to the traditional concept of vulnerability and patch management. Rather, we embrace Gartner’s paradigm shift, heralding the era of ‘exposure management.’ This novel perspective directs our attention towards fixing the issues that are genuinely exposed, transcending the mere metrics and numbers game.

 

Gartner’s exposition on exposure management resonates deeply with us. It’s not just about chasing vulnerabilities; it’s about strategically targeting critical exposures that could potentially cripple a system. The prevailing issue is that the sheer volume of vulnerabilities often leads organisations to play a futile game of whack-a-mole, missing the forest for the trees. What’s paramount is not showcasing an impressive closure rate for vulnerabilities but rather ensuring that our critical exposures are effectively addressed.

Metrics, though integral, must not become our sole focus. We resist the temptation to boast about closing off a high percentage of vulnerabilities. Instead, our focus is precise: Have we diligently safeguarded our critical exposures? In cybersecurity, quality trumps quantity. A single unchecked vulnerability could serve as an entry point for a malicious actor.

 

As vulnerabilities are identified, our response is swift and strategic. We approach vulnerability mitigation holistically, combining technical remedies with process improvements. Every remediation effort is meticulously tracked, forming a comprehensive record of our response. Over time, this chronicle not only helps gauge the effectiveness of our remediation measures but also serves as a knowledge base to fortify our future strategies.

 

Our commitment is not just to close vulnerabilities, but to reinforce the resilience of our systems against exposures that matter the most. This proactive and purpose-driven approach ensures that we remain at the vanguard of cybersecurity, ready to confront the ever-evolving threat landscape. In a world where a single vulnerability can change the game, it’s our dedication to exposure management that truly sets us apart .

 

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients