CVE-2022-29363
📋 TL;DR
CVE-2022-29363 is a critical deserialization vulnerability in Phpok v6.1 that allows unauthenticated attackers to execute arbitrary code by writing malicious files to the server. This affects all systems running the vulnerable version of Phpok CMS, potentially leading to complete system compromise.
💻 Affected Systems
- Phpok CMS
📦 What is this software?
Phpok by Phpok
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining shell access, installing backdoors, stealing data, and pivoting to other systems.
Likely Case
Webshell deployment leading to data theft, defacement, and further lateral movement within the network.
If Mitigated
Attack blocked at WAF level or system isolated before exploitation, resulting in no impact.
🎯 Exploit Status
Exploit code is publicly available and trivial to execute against vulnerable systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.2 or later
Vendor Advisory: https://github.com/qinggan/phpok/issues/12
Restart Required: No
Instructions:
1. Backup your Phpok installation and database. 2. Download Phpok v6.2 or later from the official repository. 3. Replace all files with the patched version. 4. Verify the update_f() function in login_control.php has been fixed.
🔧 Temporary Workarounds
Disable vulnerable endpoint
linuxTemporarily block access to the login_control.php file or rename it to prevent exploitation.
mv /path/to/phpok/login_control.php /path/to/phpok/login_control.php.disabled
WAF rule implementation
allDeploy a web application firewall rule to block requests containing serialized PHP objects targeting login_control.php.
🧯 If You Can't Patch
- Isolate the Phpok system from the internet and restrict network access to only necessary internal services.
- Implement strict file integrity monitoring on the Phpok directory to detect unauthorized file writes.
🔍 How to Verify
Check if Vulnerable:
Check if your Phpok installation is version 6.1 by examining the version file or checking the login_control.php file for the vulnerable update_f() function.Check Version:
grep -r 'version' /path/to/phpok/ || cat /path/to/phpok/version.txtVerify Fix Applied:
Verify the Phpok version is 6.2 or later and that the login_control.php file no longer contains the vulnerable deserialization code in update_f().📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to login_control.php with serialized data
- Unexpected file creation in web directories
- Webshell access patterns in access logs
Network Indicators:
- HTTP requests containing serialized PHP objects (O:...)
- Traffic to known webshell paths
SIEM Query:
source="web_logs" AND (uri="/login_control.php" AND method="POST" AND (body="O:" OR body="s:"))