A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.
The application passes the user-supplied 'link' parameter directly to the file_get_contents() function without validation. MIME type verification using PHP finfo can be bypassed through crafted stream filter chains that attach fake headers — allowing access to internal Laravel configuration files. The attacker reads the APP_KEY value from the config/app.php file, then forges encrypted cookies, which leads to calling the unsafe unserialize() function and ultimately to reliable remote code execution.
An attacker can gain full control over the server by executing arbitrary code remotely without any authentication. As a result of the attack, it is possible to compromise the entire application environment, including forum user data.
Apply patches available from the vendor according to the references. Additionally, it is recommended to: disable public access to the /get/image/ endpoint, implement restrictive input parameter validation on the server side, rotate APP_KEY values, and invalidate all existing sessions and cookies.
Monero Project forum software based on the Laravel framework; specific versions indicated in the vendor's references
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X