phpFox Social Platform fixes critical remote code execution flaw

published: Oct. 30, 2023

Take action: If you are using phpFox, it's prudent to update to the latest version.

Learn More

A severe vulnerability was identified in the phpFox that could potentially allow attackers to take control of communities built on the phpFox social platform.

phpFox is a platform designed specifically for creating social networks. It offers a plethora of features, both free and paid, to enable users to engage with their online communities. Moreover, it provides them with opportunities to monetize their communities.

The vulnerability could be exploited by an attacker without authentication to introduce PHP objects into the target application. This would allow the attacker to not only compromise the targeted social network but also the underlying host system it runs on. The vulnerability arises because the "url" request parameter in /core/redirectroute isn't adequately sanitized before being passed to the unserialize() PHP function. This can be manipulated by remote attackers to introduce arbitrary PHP objects, potentially leading to the execution of any PHP code. The vulnerability is tracked as CVE-2023-46817 and is treated as critical.

After the flaw was reported to the phpFox's developers, their initial response was dismissive, downplaying the significance of the issue. They initially responded by saying they didn't have such security requirements and later claimed they had addressed the issue in an earlier version (4.8.13) – which was found to be untrue.

After some persistence from security researchers, the developers eventually released a patch in phpFox version 4.8.14, though they did not specify the exact security fixes in their release notes

phpFox Social Platform fixes critical remote code execution flaw