CVE-2018-1000888 – PEAR Archive_Tar < 1.4.4 - PHP Object Injection
https://notcve.org/view.php?id=CVE-2018-1000888
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. • https://www.exploit-db.com/exploits/46108 https://blog.ripstech.com/2018/new-php-exploitation-technique https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html https://pear.php.net/bugs/bug.php?id=23782 https://pear.php.net/package/Archive_Tar/download https://security.gentoo.org/glsa/202006-14 https://usn.ubuntu.com/3857-1 https:/ • CWE-502: Deserialization of Untrusted Data •
CVE-2017-5630 – PHP PEAR 1.10.1 - Arbitrary File Download
https://notcve.org/view.php?id=CVE-2017-5630
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite. PECL en la clase de utilidad de descarga en el Instalador en PEAR Base System v1.10.1 no valida los tipos de archivo y los nombres de archivo después de una redirección, lo que permite a los servidores remotos HTTP sobrescribir los archivos a través de respuestas manipuladas, como se demuestra por una sobreescritura .htaccess. PEAR Base System version 1.10.1 and Installer's download utility suffer from an arbitrary file download vulnerability. • https://www.exploit-db.com/exploits/41185 http://pear.php.net/bugs/bug.php?id=21171 http://www.securityfocus.com/bid/95882 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2011-1072 – php-pear: symlink vulnerability in PEAR installer
https://notcve.org/view.php?id=CVE-2011-1072
The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519. El instalador de PEAR en versiones anteriores a la 1.9.2 permite a usuarios locales sobreescribir ficheros de su elección a través de un ataque de enlace simbólico ("symlink attack") en el fichero package.xml. Relacionado con los directorios (1) download_dir, (2) cache_dir, (3) tmp_dir y (4) pear-build-download. Una vulnerabilidad distinta a la CVE-2007-2519. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546164 http://news.php.net/php.pear.cvs/61264 http://openwall.com/lists/oss-security/2011/02/28/12 http://openwall.com/lists/oss-security/2011/02/28/3 http://openwall.com/lists/oss-security/2011/02/28/5 http://openwall.com/lists/oss-security/2011/03/01/4 http://openwall.com/lists/oss-security/2011/03/01/5 http://openwall.com/lists/oss-security/2011/03/01/7 http://openwall.com/lists/oss • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2011-1144
https://notcve.org/view.php?id=CVE-2011-1144
The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1072. El instalador de PEAR 1.9.2 y versiones anteriores permite a los usuarios locales sobreescribir archivos de su elección a través de un ataque de enlace simbólico ("symlink attack") en el fichero package.xml. Relacionado con los directorios (1) download_dir, (2) cache_dir, (3) tmp_dir y (4) pear-build-download. NOTA: esta vulnerabilidad existe debido a una solución incompleta del CVE-2011-1072. • http://openwall.com/lists/oss-security/2011/02/28/5 http://openwall.com/lists/oss-security/2011/03/01/4 http://openwall.com/lists/oss-security/2011/03/01/5 http://openwall.com/lists/oss-security/2011/03/01/7 http://openwall.com/lists/oss-security/2011/03/01/8 http://openwall.com/lists/oss-security/2011/03/01/9 http://pear.php.net/bugs/bug.php?id=18056 https://exchange.xforce.ibmcloud.com/vulnerabilities/65911 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2007-2519 – PHP PEAR 1.5.3 - INSTALL-AS Attribute Arbitrary File Overwrite
https://notcve.org/view.php?id=CVE-2007-2519
Directory traversal vulnerability in the installer in PEAR 1.0 through 1.5.3 allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in the (1) install-as attribute in the file element in package.xml 1.0 or the (2) as attribute in the install element in package.xml 2.0. NOTE: it could be argued that this does not cross privilege boundaries in typical installations, since the code being installed could perform the same actions. Vulnerabilidad de salto de directorio en el instalador en PEAR 1.0 hasat 1.5.3 permite a atacantes remotos con la intervención del usuario sobrescribir archivos de su elección mediante una secuencia .. (punto punto) en (1) el atributo install-as en el elemento fichero (file) en package.xml 1.0 o (2) el atributo as en el elemento instación (install) en package.xml 2.0. • https://www.exploit-db.com/exploits/30074 http://osvdb.org/42108 http://pear.php.net/advisory-20070507.txt http://pear.php.net/news/vulnerability2.php http://secunia.com/advisories/25372 http://www.mandriva.com/security/advisories?name=MDKSA-2007:110 http://www.securityfocus.com/bid/24111 http://www.ubuntu.com/usn/usn-462-1 http://www.vupen.com/english/advisories/2007/1926 https://exchange.xforce.ibmcloud.com/vulnerabilities/34482 •