This attack leverages critical deserialization vulnerabilities in PHP programming language.

It's proeminent in technologies like WordPress and Typo3.

The attacker can use low-risk functions against Phar archives to trigger deserialization without requiring the use of unserialize() function. These archives are similar to Java JAR archives, but specific for PHP applications. They include metadata in a serialized format. The data is unserialized for every file operation function (fopen, file_exists, file_get_contents, etc.) on the archive file. So, whenever this type of archive is accessed, the meta-data is unserialized, which opens a door to unserialization attacks. This works both for direct file operations (such as “file_exists”) and indirect operations such as those that occur during external entity processing within XML.

This attack is also possible just by converting a Phar archive into a JPEG image. Once it's uploaded into a wordpress website run by the attacker, he can use “phar://” stream wrapper to call the image, as well as an XMLRPC call to the “wp.getMediaItem” method, with an arbitrary value for $imagedata[‘thumb’] and a partially controlled value for $file.

Any attacker who can edit posts on a wordpress site can exploit this vulnerability.

.