A vulnerability in the PharStreamWrapper library affects Drupal, Joomla and Typo3

In library PharStreamWrapper, providing handlers to protect against of attacks by substituting files in the "Phar" format, identified Vulnerable (CVE-2019-11831), which allows bypassing code deserialization protection by substituting ".." characters in the path. For example, an attacker could use a URL like "phar:///path/bad.phar/../good.phar" for an attack, and the library would select the base name "/path/good.phar" during verification, although further processing of such a path would use the file "/path/bad.phar."

The library was developed by the creators of CMS TYPO3, but is also used in projects Drupal и Joomla, which makes them also vulnerable. The issue is fixed in the releases PharStreamWrapper 2.1.1 and 3.1.1. Project Drupal Fixed the issue in updates 7.67, 8.6.16 and 8.7.1. Joomla The issue has been present since version 3.9.3 and was fixed in release 3.9.6. To fix the issue in TYPO3, you need to update the PharStreamWapper library.

From a practical standpoint, the vulnerability in PharStreamWapper allows the user Drupal Core, with 'Administer theme' privileges, uploads a malicious phar file and executes the PHP code contained within, disguised as a legitimate phar archive. As a reminder, the "Phar deserialization" attack works by automatically deserializing metadata from Phar (PHP Archive) files when checking uploaded help files for the PHP function file_exists() when processing paths beginning with "phar://." Transferring a phar file as an image is possible, since file_exists() determines the MIME type based on the file's content, not its extension.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers 🔥 Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster