Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency timber/timber to v2.1.0 [SECURITY] #37

Merged

Conversation

titouanmathis
Copy link
Contributor

This PR contains the following updates:

Package Type Update Change
timber/timber (source) require minor 2.0.0 -> 2.1.0

GitHub Vulnerability Alerts

CVE-2024-29800

Summary

Timber is vulnerable to PHAR deserialization due to a lack of checking the input before passing it into the file_exists() function. If an attacker can upload files of any type to the server, he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when Timber is used with frameworks with documented POP chains like Wordpress/ vulnerable developer code.

Details

The vulnerability lies in the run function within the toJpg.php file. The two parameters passed into it are not checked or sanitized, hence an attacker could potentially inject malicious input leading to Deserialization of Untrusted Data, allowing for remote code execution:
image

PoC

Setup the following code in /var/www/html: vuln.php represents our use of Timber functions and phar-poc.php represents code with a vulnerable POP chain.
image
image
As an attacker, we generate our PHAR payload using the following exploit script:
image
Generate with:
image
then change extension file from .phar to valid extension as svg,jpg,...
image
and execute vuln.php with php vuln.php, you should see whoami being executed:
image
image

Impact

This vulnerability is capable of remote code execution if Timber is used with frameworks or developer code with vulnerable POP chains.

Recommended Fix

Filter the phar:// protocol.


timber/timber vulnerable to Deserialization of Untrusted Data

CVE-2024-29800 / GHSA-6363-v5m4-fvq3

More information

Details

Summary

Timber is vulnerable to PHAR deserialization due to a lack of checking the input before passing it into the file_exists() function. If an attacker can upload files of any type to the server, he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when Timber is used with frameworks with documented POP chains like Wordpress/ vulnerable developer code.

Details

The vulnerability lies in the run function within the toJpg.php file. The two parameters passed into it are not checked or sanitized, hence an attacker could potentially inject malicious input leading to Deserialization of Untrusted Data, allowing for remote code execution:
image

PoC

Setup the following code in /var/www/html: vuln.php represents our use of Timber functions and phar-poc.php represents code with a vulnerable POP chain.
image
image
As an attacker, we generate our PHAR payload using the following exploit script:
image
Generate with:
image
then change extension file from .phar to valid extension as svg,jpg,...
image
and execute vuln.php with php vuln.php, you should see whoami being executed:
image
image

Impact

This vulnerability is capable of remote code execution if Timber is used with frameworks or developer code with vulnerable POP chains.

Recommended Fix

Filter the phar:// protocol.

Severity

  • CVSS Score: 8.0 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

timber/timber (timber/timber)

v2.1.0

Compare Source

Features
  • add filter to cache methods (#​2878) (b347677)
  • add filter for sideloaded images basename (e4ff72f)
  • add filter to $output before it is cached (#​2910) (d1356fd)
  • add is_current and profile_link methods (#​2924) (b048da8)
  • Add WP escapers via Twig filters (#​2933) (a88aa00)
  • Allow pagination object to be generated using $prefs only (99219a9)
  • allow pagination object to be generated using $prefs only (2834fd4)
  • bump php-stubs/acf-pro-stubs to ^6.0 (ac17052)
  • update ECS config and apply standards (#​2893) (71111e1)
Bug Fixes
Reverts
  • revert changing property name (a7b019b)
Miscellaneous Chores

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

codecov bot commented Jul 24, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.86%. Comparing base (8b5d7b9) to head (1d30a92).

Additional details and impacted files
@@            Coverage Diff             @@
##             develop      #37   +/-   ##
==========================================
  Coverage      64.86%   64.86%           
  Complexity       209      209           
==========================================
  Files             15       15           
  Lines            592      592           
==========================================
  Hits             384      384           
  Misses           208      208           
Flag Coverage Δ
unittests 64.86% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@titouanmathis titouanmathis merged commit 8ebc259 into develop Jul 24, 2024
11 checks passed
@titouanmathis titouanmathis deleted the renovate/packagist-timber/timber-vulnerability branch July 24, 2024 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants