PHP functions such as getimagesize(), file_exists(), and is_readable() can trigger deserialization when processing phar:// stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a phar:// path can achieve arbitrary code execution.
| Metric | Value | Justification |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable via file upload and web requests |
| Attack Complexity (AC) | High | Requires file upload + triggering phar:// access |
| Privileges Required (PR) | None | Some upload vectors don't require authentication |
| User Interaction (UI) | None | Exploitation is automatic once triggered |
| Scope (S) | Unchanged | Impacts the vulnerable component |
| Confidentiality (C) | High | Full system access via RCE |
| Integrity (I) | High | Arbitrary code execution |
| Availability (A) | High | Complete system compromise possible |
| File | Line | Vulnerable Function |
|---|---|---|
app/code/core/Mage/Core/Model/File/Validator/Image.php |
72 | getimagesize($filePath) |
app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php |
137 | getimagesize($item->getFilename()) |
lib/Varien/Image.php |
71 | $this->_getAdapter()->open($this->_fileName) |
PHP's phar (PHP Archive) format stores metadata that is serialized. When PHP's stream wrapper functions access a file using the phar:// protocol, the metadata is automatically deserialized. This occurs even with seemingly safe functions like file_exists() or getimagesize().
A polyglot file can be crafted that is both a valid image (passing initial validation) and a valid phar archive containing malicious serialized objects. When the application later processes this file using phar://, the deserialization triggers a gadget chain leading to RCE.
phar:// wrapper<?php
// Create malicious phar file
class ExploitGadget {
public $cmd = 'id > /tmp/pwned';
function __destruct() {
system($this->cmd);
}
}
$phar = new Phar('exploit.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'test');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->setMetadata(new ExploitGadget());
$phar->stopBuffering();
// Rename to appear as image
rename('exploit.phar', 'exploit.jpg');
// When getimagesize('phar://path/to/exploit.jpg') is called,
// the ExploitGadget::__destruct() method executes
Block phar:// paths before passing to vulnerable functions:
// Before (vulnerable)
[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);
// After (fixed)
if (str_starts_with($filePath, 'phar://')) {
throw new Exception('Invalid image path.');
}
[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);
Additionally, ICO files (which cannot be re-encoded by GD) are now scanned for phar signatures:
__HALT_COMPILER(); - Required phar stub<?php - PHP opening tag<?= - PHP short echo tagAdditional hardening measures:
ICO uploads removed: ICO file support is completely removed from new image uploads. This eliminates the polyglot attack vector entirely since all other image formats are re-encoded by GD, which strips any embedded phar metadata.
Phar wrapper disabled: The phar:// stream wrapper is unregistered at application bootstrap, preventing any phar deserialization attacks regardless of code path.
Cache deserialization hardening: All unserialize() calls on cached data now use allowed_classes => false as defense-in-depth.
Note: Existing uploaded ICO files will continue to work. Only new ICO uploads will be rejected. Users are encouraged to use PNG favicons for new uploads.
If immediate upgrade is not possible:
ini
; php.ini
disable_functions = phar://
Or in code:
php
stream_wrapper_unregister('phar');
Strict upload validation: Implement additional validation beyond file extension
File storage isolation: Store uploads outside web root with randomized names
Web Application Firewall: Block requests containing phar:// in parameters
This vulnerability was discovered and responsibly disclosed by blackhat2013 through HackerOne.
Source: https://hackerone.com/reports/3482926
| Score | Percentile |
|---|---|
| 0.07% | 20.65% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-fg79-cr9c-7369 ↗ |
| CVE | CVE-2026-25524 ↗ |
| CWE id | Name |
|---|---|
| CWE-502 | Deserialization of Untrusted Data |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | openmage/magento-lts | < 20.17.0 | 20.17.0 | — |