New PHP Code Execution Attack Puts WordPress Sites at Risk

GlobalDots
1 Min read

Sam Thomas, a security researcher from Secarma, has discovered a new exploitation technique that could make it easier for hackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions.

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Reduce your AWS costs by over 50%

The new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3.

PHP unserialization or object injection vulnerabilities were initially documented in 2009, which could allow an attacker to perform different kinds of attacks by supplying malicious inputs to the unserialize() PHP function.

If you are unaware, serialization is the process of converting data objects into a plain string, and unserialize function help program recreate an object back from a string.

Thomas found that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function in a wide range of scenarios.

In a detailed paper released at Black Hat conference last week, Thomas demonstrated how this attack can be executed against WordPress sites using an author account to take full control over the web server.

Image Source

Read more: The Hacker News

Latest Articles

Justt – IaC

Justt is a chargeback mitigation startup based in Tel Aviv. Chargebacks, as defined, are demands by a credit card provider for a retailer to reimburse losses on fraudulent or disputed transactions. Justt’s objective is to assist merchants worldwide in combating false chargebacks using its proprietary artificial intelligence technology.

GlobalDots
22nd February, 2024
8 FinOps Best Practices for Cutting Cloud Costs

The cloud used to be viewed as a place of significant cost savings: rather than purchasing and maintaining dozens of server stacks, organizations could outsource this and purchase compute power on an as-needed basis. In the ensuing rush to cloud architecture, however, many companies simply lifted-and-shifted their old financial bad habits. The sheer speed of […]

GlobalDots
22nd February, 2024
How FinOps Capabilities Can Unlock Your Cloud Cost Goals

Cloud computing has transformed more than individual app architectures: it’s granted both start-ups and market leaders an equal platform for innovation. New products are no longer dependent upon complex revenue-draining in-house server stacks. Instead, cloud-native disruptors such as Uber and Airbnb have been able to harness the once-unthinkable degrees of agility, scalability, and cost-efficiency that […]

GlobalDots
24th January, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential