PHP Phar deserialization protection mechanism bypass
CVE-2019-11831 - CVE Score: 9.8
An attacker can bypass a deserialization protection mechanism in the PharStreamWrapper by using a directory traversal and execute arbitrary code via a maliciously crafted phar file.
Developers using PHP can use Phar (PHP Archive) to distribute their project. It moves all the files into a single archive.
The PharStreamWrapper can be abused to execute arbitrary code. A protection mechanism has been put in place but it doesn’t check for directory traversal such as phar:///path/bad.phar/../good.phar.
CERT.be recommends system administrators to update their product to the latest version:
- Drupal version 8.7.1
- Drupal version 8.6.16
- Drupal version 7.67
- Typo3 version 2.1.1
- Typo3 version 3.1.1
- Joomla version 3.9.6