'; } else{ echo ''; } echo 'Hillstone Networks'; } elseif ($_SERVER[HTTP_HOST] == "update1.huaantech.com.cn") { echo ''; echo 'huaantech'; } elseif ($_SERVER[HTTP_HOST] == "update1.dcnetworks.com.cn") { echo ''; echo 'dcnetworks'; } elseif ($_SERVER[HTTP_HOST] == "update1.w-ibeda.com") { if (false===strpos($_SERVER[REQUEST_URI],"/en/")) echo ''; else echo ''; echo 'w-ibeda'; } elseif ($_SERVER[HTTP_HOST] == "update1.hp-telecom.com") { echo ''; echo 'hp-telecom'; } elseif ($_SERVER[HTTP_HOST] == "update1.maipu.com") { echo ''; echo 'Maipu'; } elseif ($_SERVER[HTTP_HOST] == "update1.ncurity.com") { echo ''; echo 'Ncurity'; } elseif ($_SERVER[HTTP_HOST] == "update1.socusnetwork.com") { echo ''; echo 'Socusnetwork'; } else{ echo ''; echo 'Hillstone Networks'; } ?>
 
   
 

RULE(RULE ID:339609)

Rule General Information
Release Date: 2025-11-12
Rule Name: Laravel Phar Deserialization Vulnerability (CVE-2021-3129)
Severity:
CVE ID:
Rule Protection Details
Description: Laravel’s debug mode exposes the ignition endpoint /_ignition/execute-solution, a legitimate troubleshooting interface that can be abused to invoke arbitrary solutions. By injecting a crafted phar:// stream wrapper path into the viewFile parameter, an attacker triggers PHP’s phar deserialization mechanism before the file is verified as existing. This allows instantiation of any class declared in the application or its dependencies, leading to remote code execution, file deletion, credential harvesting, or complete server takeover without authentication. The flaw was silently patched in January 2021 but remains attractive because many cloud and CI environments leave debug mode enabled, and the exploit leaves no error logs when successful.
Impact: An attacker can carefully construct malicious serialized data and pass it to the application, and execute the malicious code constructed by the attacker when the application deserializes the object.
Affected OS: Windows, Linux, Others
Reference:
Solutions
Please contact the software vendor to update the software patch.