Full Report
Three security flaws have been disclosed in the open-source PHP package Voyager that could be exploited by an attacker to achieve one-click remote code execution on affected instances. "When an authenticated Voyager user clicks on a malicious link, attackers can execute arbitrary code on the server," Sonar researcher Yaniv Nizry said in a write-up published earlier this week. The
Analysis Summary
# Vulnerability: Multiple Critical Flaws in PHP Voyager Leading to RCE and Data Manipulation
## CVE Details
- CVE ID: CVE-2024-55417, CVE-2024-55416, CVE-2024-55415
- CVSS Score: Not explicitly provided, but chaining results in RCE, strongly suggesting **Critical** or **High** severity.
- CWE: Arbitrary File Write (CWE likely related to Upload Process), Reflected Cross-Site Scripting (XSS).
## Affected Systems
- Products: PHP Voyager (open-source package on GitHub)
- Versions: Unspecified, applies to current unpatched versions.
- Configurations: The vulnerabilities require an **authenticated Voyager user** to trigger the RCE chain, or be present in an instance using Voyager.
## Vulnerability Description
Three security flaws were disclosed in the PHP Voyager package, which can be chained to allow authenticated users to achieve Remote Code Execution (RCE) with minimal interaction.
1. **CVE-2024-55417 (Arbitrary File Write):** Located in the `/admin/media/upload` endpoint. This flaw allows an attacker to bypass MIME type verification and upload a malicious "polyglot file" (disguised as an image/video) containing executable PHP code, leading to RCE upon server processing.
2. **CVE-2024-55416 (Reflected XSS):** Located in the `/admin/compass` endpoint. When chained with CVE-2024-55417, an attacker sending a malicious link to a victim can execute arbitrary JavaScript in the victim’s context, allowing the attacker to perform subsequent actions as the victim.
3. **CVE-2024-55415 (Arbitrary File Leak/Deletion):** Affects the file management system, allowing threat actors to delete arbitrary files or leak their contents (especially when chained with the XSS vulnerability).
## Exploitation
- Status: **PoC available** (Implied by technical write-up, successful remote code execution demonstration possible via chaining). The RCE requires an authenticated user to be tricked into clicking a specific link.
- Complexity: **Low** (Requires authentication, but RCE is achieved with a single malicious link click post-authentication).
- Attack Vector: **Network** (Requires interaction via a malicious link, likely leveraging the authenticated session).
## Impact
- Confidentiality: **High** (File leak possible via CVE-2024-55415 chained with XSS).
- Integrity: **High** (Arbitrary file write/deletion and RCE capability).
- Availability: **High** (File deletion can lead to Denial of Service).
## Remediation
### Patches
- **No patch available** as of the report date (Responsible disclosure occurred September 11, 2024, and flaws remain unpatched).
### Workarounds
- Users are advised to **exercise caution** when using the project in their applications until a fix is released.
- Temporarily disabling or restricting access to the `/admin/media/upload` endpoint might reduce exposure to the file write vulnerability.
## Detection
- **Indicators of Compromise (IoCs):** Look for unexpected PHP file execution originating from file uploads in the media directory, or unauthorized file system manipulation/deletion events.
- **Detection Methods and Tools:** Monitor application logs for suspicious requests to `/admin/media/upload` attempting to bypass validation checks. IDS/IPS systems should be configured to flag complex payloads embedded in requests that might indicate polyglot file creation or CSRF attempts on the administrative endpoints.
## References
- Vendor advisories: None provided for a fix, researchers included a link to the Sonar source write-up.
- Relevant links:
- Source article base URL: hxxps://thehackernews.com/2025/01/unpatched-php-voyager-flaws-leave.html
- Researcher write-up: hxxps://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/