CVE-2024-1198 Overview
A critical insecure deserialization vulnerability has been identified in openBI, an open-source business intelligence platform. The vulnerability exists in the addxinzhi function within the file application/controllers/User.php, specifically in the Phar Handler component. Attackers can exploit this flaw by manipulating the outimgurl argument, leading to arbitrary object deserialization and potentially remote code execution.
Critical Impact
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected openBI installations by exploiting insecure deserialization in the Phar Handler, potentially leading to complete system compromise.
Affected Products
- openBI versions up to and including 6.0.3
- All installations with the vulnerable User.php controller exposed
Discovery Timeline
- 2024-02-03 - CVE-2024-1198 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-1198
Vulnerability Analysis
This vulnerability falls under CWE-502 (Deserialization of Untrusted Data). The addxinzhi function in application/controllers/User.php fails to properly validate or sanitize the outimgurl parameter before processing it through the Phar Handler. PHP's Phar (PHP Archive) functionality can be abused when handling attacker-controlled file paths, as the Phar stream wrapper automatically deserializes metadata when accessing Phar archives.
The exploitation requires no authentication or user interaction, and the attack can be conducted remotely over the network. Successful exploitation grants attackers full control over the affected system, compromising confidentiality, integrity, and availability of the application and underlying server.
Root Cause
The root cause of this vulnerability is the lack of input validation on the outimgurl parameter in the addxinzhi function. When this parameter is passed to file handling functions that support the phar:// stream wrapper, PHP automatically deserializes the metadata stored within the Phar archive. If an attacker can upload or reference a malicious Phar file containing crafted serialized objects, the deserialization process can trigger magic methods that execute arbitrary code.
Attack Vector
The attack vector is network-based with low complexity requirements. An attacker can exploit this vulnerability by:
- Crafting a malicious Phar archive containing a serialized PHP object with dangerous magic methods (such as __destruct, __wakeup, or __toString)
- Either uploading the Phar file to the server or hosting it on an external location accessible by the target
- Sending a request to the vulnerable addxinzhi function with the outimgurl parameter set to a phar:// wrapper path pointing to the malicious archive
- When the application processes this path, PHP deserializes the Phar metadata, triggering the gadget chain and executing arbitrary code
The vulnerability has been publicly disclosed and exploit information is available through the Zhaoj Note Sharing resource. Additional technical details can be found in the VulDB advisory.
Detection Methods for CVE-2024-1198
Indicators of Compromise
- HTTP requests to /User/addxinzhi or related endpoints containing phar:// in the outimgurl parameter
- Unusual file access patterns involving .phar files or suspicious archive operations
- Unexpected PHP processes or child processes spawned by the web server
- Web server access logs showing encoded or obfuscated phar:// wrapper attempts
Detection Strategies
- Monitor web application firewall (WAF) logs for requests containing phar:// stream wrapper patterns in user-controllable parameters
- Implement intrusion detection rules to flag HTTP requests to User.php endpoints with suspicious file path patterns
- Deploy file integrity monitoring on the openBI installation directory to detect unauthorized changes
- Analyze PHP error logs for deserialization-related warnings or exceptions
Monitoring Recommendations
- Enable verbose logging for the openBI application to capture all incoming requests and parameter values
- Configure security information and event management (SIEM) rules to correlate suspicious activity targeting the User controller
- Establish baseline behavior for file operations and alert on anomalous Phar-related file access
- Monitor outbound network connections from the web server for potential command-and-control communication
How to Mitigate CVE-2024-1198
Immediate Actions Required
- Restrict access to the affected User.php controller endpoints until a patch can be applied
- Implement WAF rules to block requests containing phar:// or similar stream wrapper patterns in user input
- Review and audit all user-controllable parameters that interact with file system operations
- Consider disabling the Phar stream wrapper at the PHP configuration level if not required by the application
Patch Information
At the time of publication, users should check the openBI project for security updates addressing this vulnerability. Review the VulDB advisory for the latest remediation guidance. Upgrading to a version beyond 6.0.3 that includes a fix for this deserialization vulnerability is strongly recommended when available.
Workarounds
- Disable the Phar stream wrapper in PHP configuration by adding phar to the disable_functions directive or using stream_wrapper_unregister('phar') in the application bootstrap
- Implement strict input validation to reject any file paths containing stream wrapper prefixes like phar://, php://, or data://
- Use application-level filtering to sanitize the outimgurl parameter before processing
- Deploy network segmentation to limit the impact of potential compromise
# PHP configuration to disable phar stream wrapper
# Add to php.ini or application configuration
php -d "disable_functions=phar_open" your_script.php
# Alternative: Disable in application bootstrap
# Add to index.php or configuration file
stream_wrapper_unregister('phar');
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
