A security researcher has discovered a new technique that hackers could use to exploit PHP programming language.

The new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3.

The exploit is based around object injection vulnerabilities which could allow an attacker to perform different kinds of attacks by supplying malicious inputs to the unserialise PHP function.

Attack method

An attacker can trigger a ‘deserialisation’ attack without requiring the use of unserialise function in a wide range of scenarios.

The files which can be exploited are known as Phar, an archive format in PHP. These Phar file store metadata in a serialised format. They are unserialised whenever a file operation function such as ‘open’, ‘get contents’ and so on, tries to access the archive file.
  • Deserialisation is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. 
  • This process is often used to inflict a denial of service attack or even execute arbitrary code (such as malware) when it is deserialised. 
  • This attack method was listed as number 8 in terms of vulnerabilities in the Open Web Application Security Project Top Ten list for 2017

Serialisation refers to a process of converting an object into a format. JSON and XML are two of the most commonly used serialisation formats within web applications.

Deserialisation is the opposite of serialisation, that is, transforming serialised data coming from a file, stream or network socket into an object.
  • Objects are the units of code that are eventually derived from the programming process when new programming is developed. An object is what actually runs in the computer.

Web applications make use of serialisation and deserialisation on a regular basis and most programming languages provide native features to serialise data.

Safe deserialisation of objects is normal practice in software development. The trouble however, starts when deserialising untrusted user input.

It’s frequently possible for an attacker to abuse these deserialisation features when the application is deserialising untrusted data which the attacker controls.

How it can be used against WordPress

  • An attack can be executed against WordPress sites using an author account to take full control over the web server. 
  • For successful exploitation of the flaw, all an attacker needs to do is upload a valid Phar archive containing the malicious payload object onto the target's local file system and make the file operation function access it. 
  • An attacker can even exploit this vulnerability using a JPEG image, originally a Phar archive converted into valid JPEG by modifying its first 100 bytes.

BullGuard protects your computer from spies and hackers


In practice

Successful insecure deserialisation attacks could allow an attacker to carry out:
  • Denial-of-service (DoS) attacks in which websites crash because they are overwhelmed with requests to access the site and load pages. 
  • Authentication bypasses in which an attacker simply circumnavigates authentication requirements. 
  • Remote code execution attacks which attackers use to access someone else's computing device and make changes

WordPress updates

This vulnerability is not limited to WordPress; rather it potentially affects many web applications. But given that around 75,000,000 websites are using WordPress according to the latest figures, it’s important to flag up this issue.
  • WordPress is free, and it is developed by a community of developers. 
  • With each new release, they fix bugs, add new features, improve performance, and enhance existing features to stay up to date with new industry standards. 
  • If you don’t update your WordPress site, you are risking your website security and missing out on new features / improvements.
  • Updates are automatically applied but if you have turned this function off, it’s more than a good idea to turn it on.