My Little Forum Phar Deserialization Vulnerability Leading to Arbitrary File Deletion

A vulnerability in My Little Forum versions prior to 20260208.1 allows for Phar deserialization exploitation, leading to arbitrary file deletion. The issue arises from inadequate URL validation in the image upload feature, where the phar:// protocol is not properly filtered. This oversight enables attackers to upload a malicious Phar file disguised as a JPEG image, which is then processed through BBCode image tags. The vulnerability takes advantage of a deserialization flaw in Smarty 4.1.0, executing a chain of operations that results in the deletion of specified files.

Impact

Exploitation of this vulnerability allows for the deletion of critical files, such as database configuration or .htaccess files, leading to application failure or exposure of sensitive directory structures. Additionally, uploaded images and other application data can be deleted, causing persistent damage by removing installation files necessary for system recovery.

Reproduction

To reproduce this vulnerability, upload a Phar polyglot file disguised as a JPEG image through the forum's image upload feature. After the upload, use BBCode to reference the image with a phar:// URL, which will trigger the deserialization. This can be done by posting a message that includes the phar:// link to the uploaded image. Once the post is published, the vulnerability will execute, resulting in the deletion of the targeted file.

Remediation

Users can upgrade to My Little Forum version 20260208.1, where this vulnerability has been fixed. For those unable to upgrade, it's recommended to disable the image upload feature or implement server-level restrictions to prevent the phar:// protocol from being used.