Monero Forum Laravel Image Proxy PHP Object Injection Vulnerability Leading to Remote Code Execution

A PHP object injection vulnerability has been identified in the Monero Project's Laravel-based forum software, specifically in version 4.2.22. The issue arises from the improper handling of untrusted input in the '/get/image/' endpoint. The application directly passes a user-supplied link parameter to 'file_get_contents()' without proper validation. Although MIME type checks are implemented using PHP's 'finfo' function, these can be circumvented with specially crafted stream filter chains that add fake headers, allowing access to sensitive internal Laravel configuration files. Exploiting this vulnerability enables an attacker to extract the 'APP_KEY' from 'config/app.php', create forged encrypted cookies, and invoke unsafe 'unserialize()' functions, resulting in reliable remote code execution.

Impact

Successful exploitation allows for remote code execution on the server where the forum is hosted.

Reproduction

To reproduce this vulnerability, send a GET request to the '/get/image/' endpoint with a crafted 'link' parameter that exploits the PHP object injection flaw. The 'link' parameter should be designed to bypass the MIME type validation and access internal Laravel configuration files. Once the 'APP_KEY' is extracted, use it to forge encrypted cookies that can be unserialized for remote code execution.

Remediation

The vulnerable forum has been taken offline.