PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

redhat_unpatched php-pear: php-pear: Unpatched vulnerabilities

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php-pear: Unsafe deserialization of data in Archive_Tar class (CVE-2018-1000888)

  - PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file     types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted     responses, as demonstrated by a .htaccess overwrite. (CVE-2017-5630)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php-pear: Unsafe deserialization of data in Archive_Tar class (CVE-2018-1000888)

  - Archive_Tar: improper filename sanitization leads to file overwrites (CVE-2020-28949)

  - Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not     blocked. (CVE-2020-28948)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php-pear: Unsafe deserialization of data in Archive_Tar class (CVE-2018-1000888)

  - PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file     types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted     responses, as demonstrated by a .htaccess overwrite. (CVE-2017-5630)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote host is affected by the vulnerability described in GLSA-202006-14 (PEAR Archive_Tar: Remote code execution vulnerability)

    An issue was discovered in the PEAR module Archive_Tar&rsquo;s handling of       file paths within Tar achives.
  Impact :

    A local or remote attacker could possibly execute arbitrary code with       the privileges of the process.
  Workaround :

    Avoid handling untrusted Tar files with this package until you have       upgraded to a non-vulnerable version.

According to the version of the php-pear package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - PEAR Archive_Tar version 1.4.3 and earlier contains a     CWE-502, CWE-915 vulnerability in the Archive_Tar     class. There are several file operations with     `$v_header['filename']` as parameter (such as     file_exists, is_file, is_dir, etc). When extract is     called without a specific prefix path, we can trigger     unserialization by crafting a tar file with     `phar://[path_to_malicious_phar_file]` as path. Object     injection can be used to trigger destruct in the loaded     PHP classes, e.g. the Archive_Tar class itself. With     Archive_Tar object injection, arbitrary file deletion     can occur because `@unlink($this-i1/4z_temp_tarname)` is     called. If another class with useful gadget is loaded,     it may possible to cause remote code execution that can     result in files being deleted or possibly modified.
    (CVE-2018-1000888)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified.
This vulnerability appears to have been fixed in 1.4.4.(CVE-2018-1000888)

php-pear in php5 contains CWE-502 (Deserialization of Untrusted Data) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) vulnerabilities in its Archive_Tar class. When extract is called without a specific prefix path, can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, all with possible remote code execution that can result in files being deleted or possibly modified.

For Debian 8 'Jessie', this problem has been fixed in version 5.6.39+dfsg-0+deb8u2.

We recommend that you upgrade your php5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fariskhi Vidyan discovered that the PEAR Archive_Tar package for handling tar files in PHP is prone to a PHP object injection vulnerability, potentially allowing a remote attacker to execute arbitrary code.

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.62, 8.5.x prior to 8.5.9, or 8.6.x prior to 8.6.6. It is, therefore, affected by multiple phar handling vulnerabilities. An unauthenticated attacker could leverage these vulnerabilities to potentially perform remote code execution attacks and gain access in the context the web server user.

Fariskhi Vidyan discovered that PEAR Archive_Tar incorrectly handled certain archive paths. A remote attacker could possibly use this issue to execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
199543	RHEL 6 : php-pear (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
199488	RHEL 8 : php-pear (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
199484	RHEL 7 : php-pear (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
137451	GLSA-202006-14 : PEAR Archive_Tar: Remote code execution vulnerability	Nessus	Gentoo Local Security Checks	high
123621	EulerOS 2.0 SP5 : php-pear (EulerOS-SA-2019-1147)	Nessus	Huawei Local Security Checks	high
123595	EulerOS 2.0 SP2 : php-pear (EulerOS-SA-2019-1121)	Nessus	Huawei Local Security Checks	high
122160	Amazon Linux 2 : php-pear (ALAS-2019-1159)	Nessus	Amazon Linux Local Security Checks	high
122101	Debian DLA-1674-1 : php5 security update	Nessus	Debian Local Security Checks	high
121486	Debian DSA-4378-1 : php-pear - security update	Nessus	Debian Local Security Checks	high
121214	Drupal 7.x < 7.62 / 8.5.x < 8.5.9 / 8.6.x < 8.6.6 Multiple Vulnerabilities (SA-CORE-2019-001, SA-CORE-2019-002)	Nessus	CGI abuses	critical
121187	Ubuntu 16.04 LTS / 18.04 LTS : PEAR vulnerability (USN-3857-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2018-1000888

high

Tenable Plugins

Coming Soon

high

high

high

high

high

high

high

high

high

critical

high