CVE-2017-5677
📋 TL;DR
PEAR HTML_AJAX versions 0.3.0 through 0.5.7 have a PHP object injection vulnerability in the PHP serializer that allows remote attackers to execute arbitrary code. This affects any PHP application using these vulnerable HTML_AJAX library versions for AJAX functionality. The vulnerability stems from an incorrect regular expression that fails to properly validate serialized data.
💻 Affected Systems
- PEAR HTML_AJAX
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full control of the web server, allowing data theft, system compromise, and lateral movement within the network.
Likely Case
Remote code execution leading to web application compromise, data exfiltration, and potential server takeover.
If Mitigated
Limited impact with proper network segmentation, WAF rules blocking malicious serialized data, and minimal attack surface exposure.
🎯 Exploit Status
Exploitation details and proof-of-concept code are publicly available in security advisories and mailing lists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.5.8
Vendor Advisory: http://blog.pear.php.net/2017/02/02/security-html_ajax-058/
Restart Required: No
Instructions:
1. Update PEAR HTML_AJAX to version 0.5.8 or later using: pear upgrade HTML_AJAX
2. Verify the update with: pear list | grep HTML_AJAX
3. Test AJAX functionality in your application.
🔧 Temporary Workarounds
Disable PHP Serializer
allSwitch to using JSON or other serialization methods instead of the vulnerable PHP serializer in HTML_AJAX configuration.
Modify HTML_AJAX configuration to set default serializer to 'JSON' or other non-PHP options
WAF Rule Implementation
allDeploy web application firewall rules to block malicious serialized PHP objects in AJAX requests.
Add WAF rule to detect and block patterns like 'O:[0-9]+:"' in POST/PUT request bodies
🧯 If You Can't Patch
- Isolate affected systems behind firewalls with strict inbound/outbound rules
- Implement network segmentation to limit lateral movement if compromised
🔍 How to Verify
Check if Vulnerable:
Check the installed HTML_AJAX version with: pear list | grep HTML_AJAXCheck Version:
pear list | grep HTML_AJAXVerify Fix Applied:
Verify version is 0.5.8 or higher with: pear list | grep HTML_AJAX📡 Detection & Monitoring
Log Indicators:
- Unusual PHP object unserialization errors in web server logs
- Suspicious AJAX requests containing serialized PHP objects
Network Indicators:
- HTTP POST requests with serialized PHP object patterns to AJAX endpoints
- Unusual outbound connections from web server post-exploitation
SIEM Query:
source="web_logs" AND ("unserialize" OR "O:8:" OR "O:16:") AND status=200🔗 References
- http://blog.pear.php.net/2017/02/02/security-html_ajax-058/
- http://karmainsecurity.com/KIS-2017-01
- http://seclists.org/fulldisclosure/2017/Feb/12
- http://www.securityfocus.com/bid/96044
- https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646
- https://pear.php.net/bugs/bug.php?id=21165
- http://blog.pear.php.net/2017/02/02/security-html_ajax-058/
- http://karmainsecurity.com/KIS-2017-01
- http://seclists.org/fulldisclosure/2017/Feb/12
- http://www.securityfocus.com/bid/96044
- https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646
- https://pear.php.net/bugs/bug.php?id=21165
