Vulnerabilities > CVE-2018-1000888 - Deserialization of Untrusted Data vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 3 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Exploit-Db
| file | exploits/php/webapps/46108.txt |
| id | EDB-ID:46108 |
| last seen | 2019-01-10 |
| modified | 2019-01-10 |
| platform | php |
| port | |
| published | 2019-01-10 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/46108 |
| title | PEAR Archive_Tar < 1.4.4 - PHP Object Injection |
| type | webapps |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3857-1.NASL description Fariskhi Vidyan discovered that PEAR Archive_Tar incorrectly handled certain archive paths. A remote attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 121187 published 2019-01-15 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121187 title Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : php-pear vulnerability (USN-3857-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3857-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(121187); script_version("1.4"); script_cvs_date("Date: 2019/09/18 12:31:49"); script_cve_id("CVE-2018-1000888"); script_xref(name:"USN", value:"3857-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : php-pear vulnerability (USN-3857-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Fariskhi Vidyan discovered that PEAR Archive_Tar incorrectly handled certain archive paths. A remote attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3857-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected php-pear package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-pear"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/28"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|18\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 18.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"php-pear", pkgver:"1:1.10.1+submodules+notgz-6ubuntu0.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"php-pear", pkgver:"1:1.10.5+submodules+notgz-1ubuntu1.18.04.1")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"php-pear", pkgver:"1:1.10.5+submodules+notgz-1ubuntu1.18.10.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-pear"); }NASL family CGI abuses NASL id DRUPAL_8_6_6.NASL description According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.62, 8.5.x prior to 8.5.9, or 8.6.x prior to 8.6.6. It is, therefore, affected by multiple phar handling vulnerabilities. An unauthenticated attacker could leverage these vulnerabilities to potentially perform remote code execution attacks and gain access in the context the web server user. last seen 2020-06-01 modified 2020-06-02 plugin id 121214 published 2019-01-16 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121214 title Drupal 7.x < 7.62 / 8.5.x < 8.5.9 / 8.6.x < 8.6.6 Multiple Vulnerabilities (SA-CORE-2019-001, SA-CORE-2019-002) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(121214); script_version("1.6"); script_cvs_date("Date: 2019/10/31 15:18:51"); script_cve_id("CVE-2018-1000888", "CVE-2019-6338", "CVE-2019-6339"); script_bugtraq_id(106647, 106664, 106706); script_xref(name:"EDB-ID", value:"46108"); script_name(english:"Drupal 7.x < 7.62 / 8.5.x < 8.5.9 / 8.6.x < 8.6.6 Multiple Vulnerabilities (SA-CORE-2019-001, SA-CORE-2019-002)"); script_summary(english:"Checks the version of Drupal."); script_set_attribute(attribute:"synopsis", value: "A PHP application running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.62, 8.5.x prior to 8.5.9, or 8.6.x prior to 8.6.6. It is, therefore, affected by multiple phar handling vulnerabilities. An unauthenticated attacker could leverage these vulnerabilities to potentially perform remote code execution attacks and gain access in the context the web server user."); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2019-001"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2019-002"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/7.62"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/8.5.9"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/8.6.6"); script_set_attribute(attribute:"solution", value: "Upgrade to Drupal version 7.60 / 8.5.8 / 8.6.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6339"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/16"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("drupal_detect.nasl"); script_require_keys("installed_sw/Drupal", "Settings/ParanoidReport"); script_require_ports("Services/www", 80, 443); exit(0); } include("vcf.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80, php:TRUE); app_info = vcf::get_app_info(app:"Drupal", port:port, webapp:true); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { "min_version" : "8.5", "fixed_version" : "8.5.9" }, { "min_version" : "8.6", "fixed_version" : "8.6.6" }, { "min_version" : "7.0", "fixed_version" : "7.62" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1674.NASL description php-pear in php5 contains CWE-502 (Deserialization of Untrusted Data) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) vulnerabilities in its Archive_Tar class. When extract is called without a specific prefix path, can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, all with possible remote code execution that can result in files being deleted or possibly modified. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 122101 published 2019-02-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122101 title Debian DLA-1674-1 : php5 security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1674-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(122101); script_version("1.2"); script_cvs_date("Date: 2019/04/02 21:54:16"); script_cve_id("CVE-2018-1000888"); script_name(english:"Debian DLA-1674-1 : php5 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "php-pear in php5 contains CWE-502 (Deserialization of Untrusted Data) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) vulnerabilities in its Archive_Tar class. When extract is called without a specific prefix path, can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, all with possible remote code execution that can result in files being deleted or possibly modified. For Debian 8 'Jessie', this problem has been fixed in version 5.6.39+dfsg-0+deb8u2. We recommend that you upgrade your php5 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/php5" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libapache2-mod-php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libapache2-mod-php5filter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libphp5-embed"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-interbase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-phpdbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-readline"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-sybase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-xsl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/28"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libapache2-mod-php5", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"libapache2-mod-php5filter", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"libphp5-embed", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php-pear", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-cgi", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-cli", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-common", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-curl", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-dbg", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-dev", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-enchant", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-fpm", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-gd", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-gmp", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-imap", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-interbase", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-intl", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-ldap", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-mcrypt", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-mysql", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-mysqlnd", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-odbc", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-pgsql", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-phpdbg", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-pspell", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-readline", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-recode", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-snmp", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-sqlite", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-sybase", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-tidy", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-xmlrpc", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"php5-xsl", reference:"5.6.39+dfsg-0+deb8u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2019-1159.NASL description PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header[ last seen 2020-06-01 modified 2020-06-02 plugin id 122160 published 2019-02-14 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122160 title Amazon Linux 2 : php-pear (ALAS-2019-1159) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux 2 Security Advisory ALAS-2019-1159. # include("compat.inc"); if (description) { script_id(122160); script_version("1.2"); script_cvs_date("Date: 2019/04/02 21:54:16"); script_cve_id("CVE-2018-1000888"); script_xref(name:"ALAS", value:"2019-1159"); script_name(english:"Amazon Linux 2 : php-pear (ALAS-2019-1159)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux 2 host is missing a security update." ); script_set_attribute( attribute:"description", value: "PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.(CVE-2018-1000888)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2019-1159.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update php-pear' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-pear"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/28"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "2") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"AL2", reference:"php-pear-1.10.7-3.amzn2.0.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-pear"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4378.NASL description Fariskhi Vidyan discovered that the PEAR Archive_Tar package for handling tar files in PHP is prone to a PHP object injection vulnerability, potentially allowing a remote attacker to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 121486 published 2019-01-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121486 title Debian DSA-4378-1 : php-pear - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4378. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(121486); script_version("1.3"); script_cvs_date("Date: 2019/04/02 21:54:16"); script_cve_id("CVE-2018-1000888"); script_xref(name:"DSA", value:"4378"); script_name(english:"Debian DSA-4378-1 : php-pear - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Fariskhi Vidyan discovered that the PEAR Archive_Tar package for handling tar files in PHP is prone to a PHP object injection vulnerability, potentially allowing a remote attacker to execute arbitrary code." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919147" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/php-pear" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/php-pear" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4378" ); script_set_attribute( attribute:"solution", value: "Upgrade the php-pear packages. For the stable distribution (stretch), this problem has been fixed in version 1:1.10.1+submodules+notgz-9+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-pear"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/28"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"php-pear", reference:"1:1.10.1+submodules+notgz-9+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1121.NASL description According to the version of the php-pear package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header[ last seen 2020-05-06 modified 2019-04-02 plugin id 123595 published 2019-04-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123595 title EulerOS 2.0 SP2 : php-pear (EulerOS-SA-2019-1121) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(123595); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2018-1000888" ); script_name(english:"EulerOS 2.0 SP2 : php-pear (EulerOS-SA-2019-1121)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the php-pear package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this-i1/4z_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. (CVE-2018-1000888) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1121 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8a92feac"); script_set_attribute(attribute:"solution", value: "Update the affected php-pear package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pear"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["php-pear-1.9.4-21.h1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-pear"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1147.NASL description According to the version of the php-pear package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header[ last seen 2020-05-06 modified 2019-04-02 plugin id 123621 published 2019-04-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123621 title EulerOS 2.0 SP5 : php-pear (EulerOS-SA-2019-1147) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(123621); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2018-1000888" ); script_name(english:"EulerOS 2.0 SP5 : php-pear (EulerOS-SA-2019-1147)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the php-pear package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this-i1/4z_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. (CVE-2018-1000888) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1147 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d33b641"); script_set_attribute(attribute:"solution", value: "Update the affected php-pear package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pear"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["php-pear-1.9.4-21.h1.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-pear"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1685.NASL description Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details. Also a possible regression caused by CVE-2019-6339 is fixed. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 122320 published 2019-02-20 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122320 title Debian DLA-1685-1 : drupal7 security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1685-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(122320); script_version("1.3"); script_cvs_date("Date: 2020/02/10"); script_cve_id("CVE-2019-6338"); script_name(english:"Debian DLA-1685-1 : drupal7 security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details. Also a possible regression caused by CVE-2019-6339 is fixed. For Debian 8 'Jessie', this problem has been fixed in version 7.32-1+deb8u15. We recommend that you upgrade your drupal7 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/drupal7" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected drupal7 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:drupal7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/22"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"drupal7", reference:"7.32-1+deb8u15")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Packetstorm
| data source | https://packetstormsecurity.com/files/download/151094/peararchivetar-inject.txt |
| id | PACKETSTORM:151094 |
| last seen | 2019-01-11 |
| published | 2019-01-10 |
| reporter | farisv |
| source | https://packetstormsecurity.com/files/151094/PEAR-Archive_Tar-PHP-Object-Injection.html |
| title | PEAR Archive_Tar PHP Object Injection |
References
- https://blog.ripstech.com/2018/new-php-exploitation-technique/
- https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
- https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html
- https://pear.php.net/bugs/bug.php?id=23782
- https://pear.php.net/package/Archive_Tar/download/
- https://security.gentoo.org/glsa/202006-14
- https://usn.ubuntu.com/3857-1/
- https://www.debian.org/security/2019/dsa-4378
- https://www.exploit-db.com/exploits/46108/