TYPO3-PSA-2019-008: By-passing protection of Phar Stream Wrapper Interceptor

Categories: Development Created by Oliver Hader
It has been discovered that the protection against insecure deserialization can be by-passed in Phar Stream Wrapper component.
  • Release Date: May 8, 2019
  • Component Type: PharStreamWrapper (package typo3/phar-stream-wrapper)
  • Impact: By-passing protection against insecure deserialization
  • Affected Versions: 2.0.0-2.1.0 and 3.0.0-3.1.0 of the package
  • CVE: CVE-2019-11830

Problem Description

Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details read the corresponding TYPO3 advisory.

The specific PharMetaDataInterceptor is targeted to discover potential insecure serialized objects in the meta-data section of Phar archives. In order to retrieve that information the Phar structure has been parsed without actually invoking PHP’s native process - which would directly lead to the original vulnerability. Due to flaws in Phar stub parsing it was possible to inject manipulated bundles that would to have been blocked by the mentioned PharMetaDataInterceptor.

Solution

Internal Phar stub parsing has been adjusted to match actual handling like provided in the native PHP source code.

The Phar Stream Wrapper package is available for any PHP driven project for download.

Users who downloaded the previous version are advised to upgrade to versions 3.1.1 (for PHP v7.0 and later) and 2.1.1 (for PHP v5.3 and later) to keep their projects safe. This also has been addressed already in recent TYPO3 releases of versions 8.7.25 LTS and 9.5.6 LTS.

Severity

The final severity assessment has to be done in the component making use of the Phar Stream Wrapper package and depends on the interceptor strategy that has been used. In case file invocations on user submitted paths are allowed at least insecure deserialization is possible. Depending on the specific implementation in the using components this could lead to higher impact scores concerning confidentiality, integrity and availability.

Download

Please either upgrade to versions v3.1.1 and v2.1.1 manually or ensure Composer dependencies are raised to the mentioned new versions.

Credits

Thanks to Tom Klingenberg who reported this issue and provided according security fixes.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.