Heads up, phpFox users! A critical remote code execution vulnerability existed in the phpFox service that allowed community takeovers. Following the bug report, phpFox patched the flaw with the latest service version to which, the researcher urges to update.
Remote Code Execution Vulnerability Riddled phpFox
Security researcher Egidio Romano discovered a critical security flaw in phpFox that threatened numerous social networks.
phpFox is a dedicated community-building platform facilitating users in creating interactive social networks. The service offers numerous free and paid features that let the users engage with their communities, alongside providing monetization options to the users.
According to the vulnerability description shared in the post from Karma(in)Security, exploiting the vulnerability could let an unauthenticated attacker inject PHP objects to the target application. This, in turn, could let the adversary compromise the targeted social network and the underlying system.
User input passed through the “url” request parameter to the
/core/redirect
route is not properly sanitized before being used in a call to theunserialize() PHP
function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code.
The vulnerability received the CVE ID CVE-2023-46817 and a critical severity rating.
Bug Fixed (Reluctantly!)
Following this discovery, Romano reported the vulnerability to the vendors. However, the vendors didn’t seem to realize the gravity of the matter. At first, they simply tried to brush off the matter by stating, “We currently do not have such security requirements,” later assuring a fix released with an earlier version not actually patched (4.8.13).
Commenting about this interaction, Romano shared his thoughts with LHN,
Specifically, with regards to this phpFox case, even though they say they don’t have specific security requirements, I would suggest them to be more kind with and trust security researchers who report them security issues in their products, without questioning the real existence of such security vulnerabilities and their impact, like they did with regards to CVE-2023-46817.
The researcher, as evident through the timeline shared, had to urge the vendors to deem the vulnerability important.
Eventually, the vendors patched the vulnerability with phpFox version 4.8.14, albeit without disclosing the specific security fix(es) in the release update.
According to Romano, this sort of response from a vendor like phpFox is disappointing, showing how the vendors try to deceive customers with a false sense of security.
Unfortunately, sometimes software vendors – like phpFox – are willing to hide and/or underestimate security bugs reported in their products, probably following a principle called Security Through Obscurity (STO)… I truly believe this principle is terribly wrong, giving to the software users a false sense of security, while there is no software bugs-free!
The researcher urged all phpFox users to update to the latest phpFox release (version 4.8.14 or later) to receive the security fix.
Let us know your thoughts in the comments.