PHP Phar deserialization protection mechanism bypass
CVE-2019-11831 - CVE Score: 9.8
Sources
https://nvd.nist.gov/vuln/detail/CVE-2019-11831#VulnChangeHistorySection
https://threatpost.com/drupal-typo3-joomla-phar-flaw/144526/
https://www.securityweek.com/phar-vulnerabilities-patched-drupal-typo3
Risks
An attacker can bypass a deserialization protection mechanism in the PharStreamWrapper by using a directory traversal and execute arbitrary code via a maliciously crafted phar file.
Description
Developers using PHP can use Phar (PHP Archive) to distribute their project. It moves all the files into a single archive.
The PharStreamWrapper can be abused to execute arbitrary code. A protection mechanism has been put in place but it doesn’t check for directory traversal such as phar:///path/bad.phar/../good.phar.
Recommended Actions
CERT.be recommends system administrators to update their product to the latest version:
- Drupal version 8.7.1
- Drupal version 8.6.16
- Drupal version 7.67
https://www.drupal.org/sa-core-2019-007
- Typo3 version 2.1.1
- Typo3 version 3.1.1
https://typo3.org/article/typo3-956-and-8725-security-releases-published/
- Joomla version 3.9.6