Listen to this Post
The vulnerability arises from PHP’s automatic deserialization of metadata when accessing `phar://` stream wrappers. Functions like getimagesize(), file_exists(), and `is_readable()` – which appear safe – will trigger this deserialization if a path begins with phar://. OpenMage LTS (a Magento 1.x fork) uses these functions during image validation and media handling. An attacker can craft a polyglot file that is simultaneously a valid JPEG image and a malicious PHAR archive. The PHAR archive contains serialized gadget objects (e.g., a class with a `__destruct()` method that runs system commands). After uploading this polyglot as a product image or CMS media, the attacker forces the application to process the file using phar://. This happens if the application later calls `getimagesize()` on a user-controlled path that includes the uploaded file via the `phar://` wrapper. No user interaction is required once the path is triggered. The deserialization instantiates the gadget, and its destructor executes arbitrary code. The attack vector is network-based (file upload + web request). Attack complexity is high because it requires both uploading a valid polyglot and inducing a `phar://` access. Privileges required are none for some upload endpoints. Impact is complete system compromise (RCE). The vulnerability affects OpenMage LTS versions below 20.16.1 and any Magento 1.x derivative sharing the vulnerable code paths. Specific vulnerable files: `app/code/core/Mage/Core/Model/File/Validator/Image.php` (line 72, getimagesize($filePath)), `app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php` (line 137, getimagesize($item->getFilename())), and `lib/Varien/Image.php` (line 71, $this->_getAdapter()->open($this->_fileName)). The fix blocks `phar://` paths, removes ICO upload support, unregisters the `phar` stream wrapper, and hardens `unserialize()` calls.
dailycve form:
Platform: OpenMage LTS
Version: <20.16.1
Vulnerability: PHAR deserialization RCE
Severity: Critical
date: 2025-12-31
Prediction: 2026-01-21 (released)
What Undercode Say:
Detect vulnerable getimagesize() usage
grep -rn "getimagesize(" app/code/core/ --include=".php"
Unregister phar wrapper dynamically
php -r "stream_wrapper_unregister('phar'); echo 'phar disabled';"
Scan uploaded images for PHAR stub
grep -lzP '__HALT_COMPILER();' /path/to/uploads/.jpg
Simulate polyglot creation (proof)
php -d phar.readonly=0 -r "\$p = new Phar('test.phar'); \$p->setStub('<?php __HALT_COMPILER(); ?>'); \$p->setMetadata(new class{function __destruct(){system('id');}}); rename('test.phar','test.jpg');"
Exploit:
Upload polyglot file (valid JPEG + PHAR) via product image form. Then trigger `getimagesize(‘phar://./media/catalog/product/exploit.jpg’)` by crafting a request that includes the `phar://` path in an image validation endpoint. The malicious `__destruct()` runs, executing id > /tmp/pwned.
Protection from this CVE:
Upgrade to OpenMage LTS >=20.16.1. If unable, add `if (str_starts_with($path, ‘phar://’)) throw new Exception();` before every getimagesize()/file_exists() call. Unregister `phar` wrapper via `stream_wrapper_unregister(‘phar’)` in bootstrap. Disable ICO uploads entirely. Re-encode all uploaded images with GD (strips PHAR metadata). Set `unserialize()` options: ['allowed_classes' => false].
Impact:
Arbitrary code execution leading to full server takeover. Attacker can read/write files, install backdoors, pivot internally, and compromise the entire Magento application and underlying OS. Confidentiality, integrity, and availability are all completely lost.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

