TYPO3 PSA 2019 008 - TYPO3/phar-stream-wrapper GitHub Wiki

TYPO3-PSA-2019-008: By-passing protection of Phar Stream Wrapper Interceptor

  • Release date: May 8, 2019
  • Impact: By-passing protection against insecure deserialization
  • Affected versions: v2.0.0-v2.1.0 and v3.0.0-v3.1.0 of the package

Problem Description

Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details read the corresponding TYPO3 advisory.

The specific PharMetaDataInterceptor is targeted to discover potential insecure serialized objects in the meta-data section of Phar archives. In order to retrieve that information the Phar structure has been parsed without actually invoking PHP’s native process - which would directly lead to the original vulnerability. Due to flaws in Phar stub parsing it was possible to inject manipulated bundles that would to have been blocked by the mentioned PharMetaDataInterceptor.

Solution

Internal Phar stub parsing has been adjusted to match actual handling like provided in the native PHP source code.

The Phar Stream Wrapper package is available for any PHP driven project for download.

Users who downloaded the previous version are advised to upgrade to versions 3.1.1 (for PHP v7.0 and later) and 2.1.1 (for PHP v5.3 and later) to keep their projects safe.

Severity

The final severity assessment has to be done in the component making use of the Phar Stream Wrapper package and depends on the interceptor strategy that has been used. In case file invocations on user submitted paths are allowed at least insecure deserialization is possible. Depending on the specific implementation in the using components this could lead to higher impact scores concerning confidentiality, integrity and availability.

Download

Please either upgrade to versions v3.1.1 and v2.1.1 manually or ensure Composer dependencies are raised to the mentioned new versions.

Credits

Thanks to Tom Klingenberg who reported this issue and provided according security fixes.

General advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.


References