PHP Unserialization vulnerabilities causes WordPress to be attacked remotely

Sam Thomas, head of research at Secarma, a UK security company, presented security vulnerabilities in the PHP programming language at the Security Conference of Black Hat and BSides this month and noted that the vulnerability affects all PHP applications and libraries that accept user profiles, including content management such as WordPress. System (CMS) and will allow remote program attacks.

Serialization and Deserialization are functions that all programming languages have. Serialization converts objects into strings to migrate data to different servers, services, or applications and then reverses the characters. The string is restored to the object.

Security researcher Stefan Essar revealed the risks of deserialising hacker-controlled data in PHP in 2009, and the related vulnerabilities exist not only in PHP but also in other programming languages. Thomas announced a new attacking technology for PHP that can be used in a variety of scenarios, such as XML External Entity (XEE) vulnerabilities or server-side forgery request (SSFR) vulnerabilities.

Thomas said that in the past, the biggest problem with the XXE vulnerability was the leakage of information, but it is now possible to start the program. The related attack is divided into two phases. First, uploading a Phar archive containing malicious objects to the attacker’s local file system and then triggering a phar://-based file operation can lead to malicious program execution.

Thomas has used PHP’s deserialization program to successfully attack WordPress and the Typo3 content management platform, as well as the TCPDF library used by Contao.