CVE-2023-28115 – CVE-2023-28115 is a PHAR deserialization vulner... (How to Fix)

📋 TL;DR

CVE-2023-28115 is a PHAR deserialization vulnerability in the Snappy PHP library that allows attackers to achieve remote code execution by uploading malicious files and using the phar:// protocol. This affects all Snappy users prior to version 1.4.2, particularly when used with frameworks like Laravel or Symfony that have documented POP chains. The vulnerability occurs when user-controlled input is passed to the file_exists() function without proper protocol validation.

💻 Affected Systems

Products:

KnpLabs/snappy

Versions: All versions prior to 1.4.2

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires file upload capability and user-controlled input to the generateFromHtml() function. Risk increases when used with frameworks containing POP chains.

📦 What is this software?

Snappy by Knplabs

View all CVEs affecting Snappy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to web server compromise, data exfiltration, and potential lateral movement within the network.

🟢

If Mitigated

Denial of service or limited information disclosure if proper input validation and file upload restrictions are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires file upload capability and knowledge of vulnerable POP chains. The vulnerability is well-documented with public proof-of-concept references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.2

Vendor Advisory: https://github.com/KnpLabs/snappy/releases/tag/v1.4.2

Restart Required: No

Instructions:

1. Update Snappy to version 1.4.2 or later using composer: composer require knplabs/knp-snappy:^1.4.2
2. Verify the update completed successfully
3. Test functionality to ensure no breaking changes

🔧 Temporary Workarounds

Input Validation and Protocol Restriction

all

Implement strict input validation to reject phar:// protocol and other dangerous protocols in user-controlled input

Implement input validation in application code to filter out phar://, file://, and other dangerous protocols

File Upload Restrictions

all

Restrict file uploads to safe locations and validate file types before processing

Configure web server to restrict upload directories and implement MIME type validation

🧯 If You Can't Patch

Implement strict input validation to reject phar:// protocol in all user-controlled parameters
Restrict file upload functionality and implement proper file type validation

🔍 How to Verify

Check if Vulnerable:

Check composer.json or installed packages for Snappy version <1.4.2

Check Version:

composer show knplabs/knp-snappy | grep versions

Verify Fix Applied:

Verify Snappy version is 1.4.2 or higher using composer show knplabs/knp-snappy

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with .phar extensions
Requests containing phar:// protocol in parameters
Unexpected PHP object instantiation in logs

Network Indicators:

Unusual outbound connections from web server
Large data exfiltration from server

SIEM Query:

source="web_logs" AND (phar:// OR .phar) AND (generateFromHtml OR file_exists)

📊 Metadata

CVE ID: CVE-2023-28115

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: March 17, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28115, you might also want to check these: