CVE-2018-1000888 – PEAR Archive_Tar < 1.4.4 - PHP Object Injection
https://notcve.org/view.php?id=CVE-2018-1000888
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. • https://www.exploit-db.com/exploits/46108 https://blog.ripstech.com/2018/new-php-exploitation-technique https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html https://pear.php.net/bugs/bug.php?id=23782 https://pear.php.net/package/Archive_Tar/download https://security.gentoo.org/glsa/202006-14 https://usn.ubuntu.com/3857-1 https:/ • CWE-502: Deserialization of Untrusted Data •
CVE-2006-0931
https://notcve.org/view.php?id=CVE-2006-0931
Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other versions before 1.3.2, allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive. • http://pear.php.net/bugs/bug.php?id=6933 http://pear.php.net/package/Archive_Tar/download http://secunia.com/advisories/19011 http://www.hamid.ir/security/phptar.txt http://www.osvdb.org/23481 http://www.securityfocus.com/archive/1/425967/100/0/threaded http://www.securityfocus.com/bid/16805 http://www.vupen.com/english/advisories/2006/0728 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •