Emtatsheni wezincwadi , ehlinzeka ngezibambi ukuvikela kuzo ngokufaka esikhundleni sefayela ngefomethi ethi “Phar”, (), okukuvumela ukuthi udlule ukuvikelwa kwekhodi deerialization ngokufaka esikhundleni ".." izinhlamvu endleleni. Isibonelo, umhlaseli angasebenzisa i-URL efana nokuthi “phar:///path/bad.phar/../good.phar” ukuze ahlasele, futhi ilabhulali izogqamisa igama lesisekelo elithi “/path/good.phar” uma ukuhlola, nakuba lapho kuqhubeka ukucubungula indlela enjalo Ifayela elithi "/path/bad.phar" lizosetshenziswa.
Umtapo wolwazi wathuthukiswa abadali be-CMS TYPO3, kodwa uphinde usetshenziswe kumaphrojekthi we-Drupal ne-Joomla, okuwenza nawo abe sengozini yokuba sengozini. Inkinga ilungisiwe ekukhishweni . Iphrojekthi ye-Drupal yalungisa inkinga ekubuyekezweni okungu-7.67, 8.6.16 kanye no-8.7.1. Ku-Joomla inkinga ivela kusukela kunguqulo 3.9.3 futhi yalungiswa ekukhululweni okungu-3.9.6. Ukuze ulungise inkinga ku-TYPO3, udinga ukubuyekeza ilabhulali ye-PharStreamWapper.
Ngasohlangothini olungokoqobo, ukuba sengozini ku-PharStreamWapper kuvumela umsebenzisi we-Drupal Core onezimvume 'Zokuphatha itimu' ukuthi alayishe ifayela le-phar eliyingozi futhi abangele ukuthi ikhodi ye-PHP equkethwe kuyo isetshenziswe ngaphansi kokucasha kwengobo yomlando ye-phar esemthethweni. Khumbula ukuthi ingqikithi yokuhlasela kwe-“Phar deserialization” ukuthi uma ubheka amafayela osizo alayishiwe omsebenzi we-PHP file_exists(), lo msebenzi ususa ngokuzenzakalelayo imethadatha kumafayela e-Phar (PHP Archive) lapho ucubungula izindlela eziqala ngokuthi “phar://” . Kungenzeka ukudlulisa ifayela le-phar njengesithombe, njengoba umsebenzi we-file_exists() unquma uhlobo lwe-MIME ngokuqukethwe, hhayi ngokwesandiso.
Source: opennet.ru