8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000888

GHSA ID

GHSA-3q76-jq6m-573p

EPSS Score

0.96312%

CWE

Published

7/7/2023

Updated

7/7/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1000888

CVE-2018-1000888: Archive_Tar contains Potential RCE if filename starts with phar://

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with $v_header['filename'] as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with phar://[path_to_malicious_phar_file] as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because @unlink($this->_temp_tarname) is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

(GitHub Advisory)

8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000888

GHSA ID

GHSA-3q76-jq6m-573p

EPSS Score

0.96312%

CWE

Published

7/7/2023

Updated

7/7/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pear/archive_tar	composer	< 1.4.4	1.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points: 1) The _maliciousFilename method lacked a check for 'phar://' prefixes (added in the patch), allowing attackers to bypass path validation. 2) The _extractFile method (and related extraction logic) used $v_header['filename'] in PHP filesystem functions (file_exists/is_dir/etc.) without proper sanitization. When combined, these allow phar:// wrappers to trigger deserialization via Phar metadata. The exploit examples and patch focus on these components, confirming their critical role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P**R *r**iv*_T*r v*rsion *.*.* *n* **rli*r *ont*ins * *W*-***, *W*-*** vuln*r**ility in t** *r**iv*_T*r *l*ss. T**r* *r* s*v*r*l *il* op*r*tions wit* `$v_*****r['*il*n*m*']` *s p*r*m*t*r (su** *s *il*_*xists, is_*il*, is_*ir, *t*). W**n *xtr**t is **

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** _m*li*ious*il*n*m* m*t*o* l**k** * ****k *or 'p**r://' pr**ix*s (***** in t** p*t**), *llowin* *tt**k*rs to *yp*ss p*t* v*li**tion. *) T** _*xtr**t*il* m*t*o* (*n* r*l*t** *xtr**tion lo*i*) us** $v_

8.8

Basic Information

Concerned about an active attack path?

CVE-2018-1000888: Archive_Tar contains Potential RCE if filename starts with phar://

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI