Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Insecure PHP deserialization through phar:// wrapper. #949
During bug bounty hunting I met one of the old version of yours library and decided to test it for known vulnerabilities, namely PHP deserialization through phar:// wrapper that was discovered independently by @s-n-t and @orangetw.
So, after some tests, looks like yours library has similar issue as TCPDF library.
Method getImage() of Image/ImageProcessor class pass value of src attribute of img tag to fopen() function, what can lead to PHP deserialization if value contains phar:// wrapper.
For proof of concept I create class with __destruct() method (based on GuzzleHttp deserialization chain) and use phpggc library to create image, which contains phar metadata. Phpggc repo also provide dozens of popular deserialization chains for popular frameworks and libraries.
Source code of test class:
Source code of trigger script:
Tested on version 5.4.0 and 7.1.7 (latest).