Other official information and services: www.belgium.be

PHP Phar deserialization protection mechanism bypass

Reference:

Advisory #2019-012

Version:

1.0

Affected software:

Drupal 8.7 < 8.7.1

Drupal 8.6 < 8.6.16

Drupal 7 < 7.67

Typo3 2 < 2.1.1

Typo3 3 < 3.1.1

Joomla < 3.9.3 - 3.9.5

Type:

Arbitrary code execution

CVE/CVSS:

CVE-2019-11831 - CVE Score: 9.8

Date:

10/05/2019

Sources

https://nvd.nist.gov/vuln/detail/CVE-2019-11831#VulnChangeHistorySection
https://threatpost.com/drupal-typo3-joomla-phar-flaw/144526/
https://www.securityweek.com/phar-vulnerabilities-patched-drupal-typo3

Risks

An attacker can bypass a deserialization protection mechanism in the PharStreamWrapper by using a directory traversal and execute arbitrary code via a maliciously crafted phar file.

Description

Developers using PHP can use Phar (PHP Archive) to distribute their project. It moves all the files into a single archive.

The PharStreamWrapper can be abused to execute arbitrary code. A protection mechanism has been put in place but it doesn’t check for directory traversal such as phar:///path/bad.phar/../good.phar.

Recommended Actions

CERT.be recommends system administrators to update their product to the latest version:

Drupal version 8.7.1
Drupal version 8.6.16
Drupal version 7.67

https://www.drupal.org/sa-core-2019-007

Typo3 version 2.1.1
Typo3 version 3.1.1

https://typo3.org/article/typo3-956-and-8725-security-releases-published/

Joomla version 3.9.6

https://developer.joomla.org/security-centre/781-%2020190502-core-by-passing-protection-of-phar-stream-wrapper-interceptor.html