Thomas explained that it is possible to carry out the attack by converting a Phar archive in a JPEG image, an operation that is possible by modifying its first 100 bytes.

“The way certain thumbnail functionality within the application works enables an attacker with the
privileges to upload and modify media items to gain sufficient control of the parameter used in a
“file_exists” call to cause unserialization to occur.” explained the researcher.

“The core vulnerability is within the wp_get_attachment_thumb_file function in /wpincludes/post.php:” 

Once uploaded the malicious thumbnail on the targeted server running the WordPress website the attacker can use another function to call the image file as a Phar archive using the “phar://” stream wrapper.

“It is possible to reach this function through an XMLRPC call to the “wp.getMediaItem” method, with
an arbitrary value for $imagedata[‘thumb’] and a partially controlled value for $file.
$file is returned by get_attached_file also from /wp-includes/post.php” continues the analysis.

Thomas reported his findings to the WordPress security team on 28th February 2017l. WordPress released a security update that did not solve the problem completely.

The researcher also reported the flaw to Typo3 on 9th June 2018, and the issue was fixed with the release of the versions 7.6.30, 8.7.17 and 9.3.

Pierluigi Paganini

(Security Affairs – PHP, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]