Source: cna@vuldb.com
A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready.
PluXml versions up to 5.8.22 are vulnerable to a remote code execution (RCE) attack due to a deserialization vulnerability in the media management module. Attackers can exploit this flaw by manipulating the File argument to trigger the FileCookieJar::__destruct function, leading to arbitrary code execution on the server. This vulnerability is publicly known and a patch is available, making successful exploitation highly likely if systems are not updated.
Step 1: Payload Preparation: The attacker crafts a malicious PHP object. This object is designed to execute arbitrary code when deserialized. This often involves injecting a malicious payload within the object's properties.
Step 2: Payload Delivery: The attacker sends a specially crafted request to the PluXml server, targeting the media management module. The request includes the serialized malicious object as the value for the File argument.
Step 3: Vulnerability Trigger: The FileCookieJar::__destruct function is called, likely due to the request's processing. This function attempts to deserialize the data provided in the File argument.
Step 4: Deserialization and Code Execution: The deserialization process executes the malicious code embedded within the crafted object. This code can perform actions such as creating a reverse shell, writing files to the server, or executing commands.
Step 5: Post-Exploitation: The attacker gains control of the server and can perform further actions, such as data exfiltration, privilege escalation, or lateral movement within the network.
The vulnerability lies within the FileCookieJar::__destruct function in core/admin/medias.php. This function is triggered when an object of the FileCookieJar class is destroyed. The flaw stems from the insecure deserialization of user-controlled data passed through the File argument. By crafting a malicious serialized object and providing it as the File argument, an attacker can control the data that is deserialized. This allows for the execution of arbitrary PHP code. The root cause is a lack of proper input validation and sanitization of the File argument before deserialization, leading to a deserialization vulnerability (also known as a PHP Object Injection). The attacker leverages this to inject malicious code within the serialized object, which is then executed when the object is deserialized. This bypasses security measures and grants the attacker control over the server.
Likely to be exploited by a wide range of actors, including script kiddies and potentially more sophisticated attackers. No specific APTs are known to be targeting this vulnerability at this time, but due to the public availability of the exploit, it is likely to be incorporated into existing attack toolkits. Not currently listed in CISA KEV.
Network traffic analysis: Look for unusual HTTP requests to the media management module (core/admin/medias.php) with suspicious parameters, especially the File parameter containing serialized data.
File integrity monitoring: Monitor for unexpected file modifications in the PluXml installation directory, particularly in the core/admin/ directory and any directories where user-uploaded files are stored.
Web application firewall (WAF) logs: Examine WAF logs for blocked requests that might indicate exploitation attempts, especially those involving PHP object injection or deserialization attacks.
Intrusion detection system (IDS) signatures: Implement IDS signatures to detect known exploit patterns and malicious payloads associated with this vulnerability.
Server-side logging: Review server logs (e.g., Apache, Nginx) for suspicious activity, such as unusual PHP errors or code execution attempts.
Upgrade to PluXml version 5.8.23 or later. This version includes a patch that addresses the vulnerability.
Implement a Web Application Firewall (WAF) to filter malicious requests and block exploitation attempts.
Review and harden the server configuration, including disabling unnecessary PHP functions and modules.
Regularly scan the PluXml installation for vulnerabilities and apply security patches promptly.
Implement strong input validation and sanitization for all user-supplied data, especially the File argument.
Restrict access to the media management module to authorized users only.
Monitor server logs and network traffic for suspicious activity.