Sam Thomas, a security researcher from Secarma, has discovered a new exploitation technique that could make it easier for hackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions.
The new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3.
How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%
PHP unserialization or object injection vulnerabilities were initially documented in 2009, which could allow an attacker to perform different kinds of attacks by supplying malicious inputs to the unserialize() PHP function.
If you are unaware, serialization is the process of converting data objects into a plain string, and unserialize function help program recreate an object back from a string.
Thomas found that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function in a wide range of scenarios.
In a detailed paper released at Black Hat conference last week, Thomas demonstrated how this attack can be executed against WordPress sites using an author account to take full control over the web server.
Read more: The Hacker News
