Slackero phpwcms Critical PHAR Deserialization Vulnerability in image_resized.php

A critical vulnerability allowing PHP Object Injection and local file disclosure has been identified in Slackero phpwcms versions through 1.9.45 and 1.10.8. The issue arises in the image_resized.php file, where user input from the 'imgfile' GET parameter is improperly validated before being passed to the getimagesize() function. Although the script attempts to sanitize the input by removing 'http://' and 'https://' prefixes, it fails to account for other protocols like 'phar://' or PHP filter wrappers. This oversight enables attackers to exploit the vulnerability by injecting malicious PHAR files that can be deserialized, potentially leading to code execution. Additionally, the vulnerability allows for reading local files through PHP filter chains, using error-based oracle techniques.

Impact

Exploitation of this vulnerability could lead to PHP Object Injection through PHAR deserialization, allowing for code execution, and unauthorized access to local files via PHP filter chains, exploiting error-based oracle techniques.

Reproduction

The vulnerability can be reproduced by sending a GET request to image_resized.php with a crafted 'imgfile' parameter that includes a PHP filter wrapper, such as 'phar://', bypassing the script's basic sanitation. This request can be made using tools like curl or Postman.

Remediation

Users are advised to upgrade to phpwcms versions 1.9.46 or 1.10.9. For versions prior to 1.10, it is recommended to upgrade to the legacy version 1.9.46 first.