Phar deserialization in phpBB - CVE-2018-19274
Published: November 23, 2018 / Updated: November 23, 2018
Vulnerability identifier: #VU16041
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-19274
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: phpBB Group
Affected software:
phpBB
phpBB
Detailed vulnerability description
The vulnerability allows a remote attacker with administrator privileges to execute arbitrary PHP code.
The weakness exists in a feature that utilizes an image editor binary called Imagick due to Phar deserialization if user input is passed unsanitized to any file system function in PHP, such as
The weakness exists in a feature that utilizes an image editor binary called Imagick due to Phar deserialization if user input is passed unsanitized to any file system function in PHP, such as
file_exists(). A remote attacker with access to the Admin Control Panel with founder permissions can upload a malicious image file and edit it with Imagick to execute arbitrary PHP code on the underlying server and then to perform a full site takeover.How to mitigate CVE-2018-19274
Update to version 3.2.4.