Miggo Logo

CVE-2018-1000888: Archive_Tar contains Potential RCE if filename starts with phar://

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.96312%
CWE
-
Published
7/7/2023
Updated
7/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pear/archive_tarcomposer< 1.4.41.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) The _maliciousFilename method lacked a check for 'phar://' prefixes (added in the patch), allowing attackers to bypass path validation. 2) The _extractFile method (and related extraction logic) used $v_header['filename'] in PHP filesystem functions (file_exists/is_dir/etc.) without proper sanitization. When combined, these allow phar:// wrappers to trigger deserialization via Phar metadata. The exploit examples and patch focus on these components, confirming their critical role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P**R *r**iv*_T*r v*rsion *.*.* *n* **rli*r *ont*ins * *W*-***, *W*-*** vuln*r**ility in t** *r**iv*_T*r *l*ss. T**r* *r* s*v*r*l *il* op*r*tions wit* `$v_*****r['*il*n*m*']` *s p*r*m*t*r (su** *s *il*_*xists, is_*il*, is_*ir, *t*). W**n *xtr**t is **

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** _m*li*ious*il*n*m* m*t*o* l**k** * ****k *or 'p**r://' pr**ix*s (***** in t** p*t**), *llowin* *tt**k*rs to *yp*ss p*t* v*li**tion. *) T** _*xtr**t*il* m*t*o* (*n* r*l*t** *xtr**tion lo*i*) us** $v_