During a recent engagement, I came accross a Symfony 1 application which contained several deserialization from untrusted user inputs.

However, there was no public gadget chains available for Symfony 1, only for Symfony 2 and onwards. So I decided to look for gadgets for the version of the audited application. I finally expanded the work to all versions of Symfony 1 as a challenge, from 1.0 to 1.5.

An unrestricted file upload in Wordpress Tatsubuilder plugin version <= 3.3.11 enables an unauthenticated attacker to perform a remote code execution (RCE) on the server host due to multiple weaknesses in font import feature and put 100,000 websites at risk.

The add_custom_font action can be used by anonymous users to upload a rogue zip file which is uncompressed under the public wordpress upload directory. By adding a PHP shell to the zip, with a filename starting with a dot “.”, an attacker can bypass the plugin’s extension control. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

This article provides a detailed walkthrough and tips on how to exploit PHP unserialize vulnerability. It is based on a real world case: Wordpress plugin All in one SEO pack <= 4.1.0.1.

It enables authenticated users with “aioseo_tools_settings” privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin’s configuration by uploading a backup .ini file. However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.