Serious Phar Flaw Allows Arbitrary Code Execution on Drupal

drupal bug arbitrary code execution

Drupal, Typo3 and Joomla are all impacted by the bug.

Multiple content management systems – including Drupal, Joomla and Typo3 – are open to a vulnerability that can lead to arbitrary code execution on some systems.

The flaw (CVE-2019-11831) exists in the phar stream wrapper component used in PHP-driven projects. A Phar archive is used to distribute a complete PHP application or library in a single file; the phar stream wrapper is an open-source component made available by Typo3, which allows users to check that the file is a valid Phar file, loaded from a specific directory, with the correct file extension.

However, researcher Daniel le Gall discovered that the feature protecting the phar stream wrapper against insecure deserialization can be bypassed on Drupal (insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application).

Typo3 and Joomla also contain third-party libraries and projects based on PHP’s built-in phar stream wrapper; but the impact of the bug on each varies by platform, the researcher said.

“The vulnerability allows [attackers] to deserialize arbitrary PHP objects, which makes it a vulnerability very dependent on the context in which it is exploited,” le Gall told Threatpost via direct message. “As a result, the operation will be different from one project to another. On some projects, this could allow arbitrary code to be executed, if some interesting classes allow it.  This is clearly the case for Drupal, since my initial report indicates a method to execute arbitrary code on their server with a user who can administer the themes.”

If exploited, an attacker could bypass the protection provided for the phar stream wrapper and eventually launch arbitrary code execution attacks, according to le Gall in a tweet.

Typo3 for its part said that versions 2.0 to 2.1 and 3.0 to 3.1 of the stream wrapper package are impacted; users can update to versions 2.1.1 for PHP 5.3 and later, or 3.1.1 for PHP 7.0 and later.

“In order to intercept file invocations like file_exists or stat on compromised Phar archives, the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling,” according to a Wednesday Typo3 advisory. “The current implementation is vulnerable to path traversal, leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.”

Meanwhile, Joomla versions 3.9.3 through 3.9.5 are impacted; users should upgrade to version 3.9.6. Joomla said it addressed the vulnerability by removing the known attack vector in the Joomla core, and according to its advisory. Joomla rated the vulnerability as low in severity.

For Drupal, the vulnerability was rated “moderately critical” as it is used in several Drupal versions, including Drupal 8.7 or earlier and Drupal 7.

Le Gall told Threapost said that he initially reported the vulnerability to Drupal’s security team through the European Commission’s bug bounty program. The flaw was discovered and reported on Feb. 22 to Drupal’s security team, which subsequently notified Joomla and Typo3.

“Currently, I can confirm that this component is present by default in the Drupal core,” le Gal told Threatpost. “For Joomla and Typo3, I don’t have a precise answer. Their teams did their investigations on their side, and I didn’t really look at how this flaw was exploitable on it, nor how this component was integrated.”


Suggested articles