CVE-2018-1000888 – PEAR Archive_Tar < 1.4.4 - PHP Object Injection

https://notcve.org/view.php?id=CVE-2018-1000888

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. • https://www.exploit-db.com/exploits/46108 https://blog.ripstech.com/2018/new-php-exploitation-technique https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html https://pear.php.net/bugs/bug.php?id=23782 https://pear.php.net/package/Archive_Tar/download https://security.gentoo.org/glsa/202006-14 https://usn.ubuntu.com/3857-1 https:/ • CWE-502: Deserialization of Untrusted Data •