In library , providing handlers to protect against by substituting files in the "Phar" format, (), which allows bypassing code deserialization protection by substituting ".." characters in the path. For example, an attacker could use a URL like "phar:///path/bad.phar/../good.phar" for an attack, and the library would select the base name "/path/good.phar" during verification, although further processing of such a path would use the file "/path/bad.phar."
The library was developed by the creators of CMS TYPO3, but is also used in projects Drupal и Joomla, which makes them also vulnerable. The issue is fixed in the releases . Project Drupal Fixed the issue in updates 7.67, 8.6.16 and 8.7.1. Joomla The issue has been present since version 3.9.3 and was fixed in release 3.9.6. To fix the issue in TYPO3, you need to update the PharStreamWapper library.
From a practical standpoint, the vulnerability in PharStreamWapper allows the user Drupal Core, with 'Administer theme' privileges, uploads a malicious phar file and executes the PHP code contained within, disguised as a legitimate phar archive. As a reminder, the "Phar deserialization" attack works by automatically deserializing metadata from Phar (PHP Archive) files when checking uploaded help files for the PHP function file_exists() when processing paths beginning with "phar://." Transferring a phar file as an image is possible, since file_exists() determines the MIME type based on the file's content, not its extension.
Source: opennet.ru
