Our blog

PHP Under Attack: New Code Vulnerability

September 14 2018

WordPress security
SHARE ON: linkedin

Do you use PHP for web development? If so, you need to be aware of a vulnerability which has been found in the programming language, and could potentially be used by hackers to enable execution of any command on the web server from a remote device.

The hack works by surreptitiously deserializing archived files which contain applications. If you’re new to the concept of serialization, it’s the process of turning data objects into a plain string, saving them so that they can be transmitted or stored until they need to be used again.

A security researcher from Secarma, Sam Thomas, found that what were thought to be low-risk functions could be used to trigger deserialization without needing to use the unserialize() function.

The low-risk functions in question are related to Phar, which is used for archiving in PHP. Phar archives store metadata in a serialized format, but when the archive files are accessed they are automatically unserialized.

This vulnerability can be used to take control over a WordPress site using an author account. The hacker uploads a Phar archive containing a serialized data object with malicious code, and then makes the file system access it using the “phar://” stream wrapper. The archive can be something as simple as a JPEG image, such as a thumbnail, which can be modified to give privileges to gain control of the system.

For a more detailed analysis of the vulnerability, and how it can be exploited by hackers, check out Thomas’ whitepaper which was released at the Black Hat USA conference.

While the vulnerability was reported to the WordPress security team, and the issue was acknowledged, the patch that was released did not address the problem completely. Typo3 has released versions that solve the issue. If you want information about whether your web server is at risk, or the best solution to use for your site, contact us for advice. Also, share this blog on social media to let others know.