Mu library , yomwe imapatsa othandizira kuti atetezedwe kudzera m'malo mwa fayilo mumtundu wa "Phar", (), zomwe zimakulolani kuti mulambalale chitetezo cha code deerialization posintha zilembo za ".." panjira. Mwachitsanzo, wowukira atha kugwiritsa ntchito ulalo ngati "phar:///path/bad.phar/../good.phar" powukira, ndipo laibulale iwonetsa dzina loyambira "/path/good.phar" pomwe kuyang'ana, ngakhale pakukonzekera kwina kwa njira yotere Fayilo "/path/bad.phar" idzagwiritsidwa ntchito.
Laibulaleyi idapangidwa ndi omwe amapanga CMS TYPO3, koma imagwiritsidwanso ntchito m'mapulojekiti a Drupal ndi Joomla, zomwe zimawapangitsanso kukhala pachiwopsezo. Nkhani yokhazikika muzotulutsa . Pulojekiti ya Drupal inakonza vutoli posintha 7.67, 8.6.16 ndi 8.7.1. Mu Joomla vuto likuwoneka kuyambira mtundu 3.9.3 ndipo linakhazikitsidwa mu kumasulidwa 3.9.6. Kuti mukonze vuto mu TYPO3, muyenera kusintha laibulale ya PharStreamWapper.
Kumbali yothandiza, chiwopsezo cha PharStreamWapper chimalola wogwiritsa ntchito Drupal Core yemwe ali ndi zilolezo za 'Administer theme' kuti akweze fayilo yoyipa ya phar ndikupangitsa kuti nambala ya PHP yomwe ili mmenemo ichitidwe mongoyerekeza ndi mbiri yakale yovomerezeka. Kumbukirani kuti chinsinsi cha "Phar deserialization" kuwukira ndikuti mukamayang'ana mafayilo odzaza a PHP function file_exists (), ntchitoyi imachotsa metadata kuchokera ku mafayilo a Phar (PHP Archive) pokonza njira zoyambira ndi "phar: //" . Ndizotheka kusamutsa fayilo ya phar ngati chithunzi, popeza file_exists () ntchito imasankha mtundu wa MIME ndi zomwe zili, osati kuwonjezera.
Source: opennet.ru