Cybersecurity researchers at Secarma Labs have exposed a PHP vulnerability in WordPress installations that can affect millions of websites powered by the content management system (CMS).
Sam Thomas, researcher at Secarma, spoke about the vulnerability at Black Hat conference in Las Vegas, and BSides technical cybersecurity conference in Manchester. According to him, the vulnerability lies in the process of converting PHP objects into strings (called serialization), and then converting them back into PHP objects (unserialization).
These processes are used in all the programming languages for moving data between servers, services and applications. Hence, the attackers can exploit the WordPress PHP framework, and compromise the systems by executing code on servers and applications.
PHP comes with a number of built-in wrappers for various URL-style protocols to be used with filesystem functions. The vulnerability is related to the ‘phar://’ stream wrapper that allows access to files inside a local archive.
The research paper presented by Secarma Labs state that exploiting instances of this issue consists of two stages.
- Place a valid Phar archive containing the payload object onto the target’s local file system.
- Trigger a file operation on a “phar://” path referring to the file.
“The techniques presented here demonstrate it is possible to abuse the “phar://” stream wrapper to induce unserialization in a wide range of scenarios. It is well known from previous work that it’s possible to exploit unserialization of attacker-controlled data to achieve code execution or other malicious outcomes,” wrote Secarma Labs in the paper.
The PHP vulnerability was reported to WordPress team more than a year ago, but it hasn’t been fixed yet.