Miggo Logo

CVE-2019-11831: Directory Traversal in typo3/phar-stream-wrapper

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.39974%
Published
9/30/2021
Updated
2/6/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/phar-stream-wrappercomposer>= 2.0.0, < 2.1.12.1.1
typo3/phar-stream-wrappercomposer>= 3.0.0, < 3.1.13.1.1
drupal/corecomposer>= 7.0.0, < 7.67.07.67.0
drupal/corecomposer>= 8.0.0, < 8.6.168.6.16
drupal/corecomposer>= 8.7.0, < 8.7.18.7.1
drupal/drupalcomposer>= 7.0.0, < 7.67.07.67.0
drupal/drupalcomposer>= 8.0.0, < 8.6.168.6.16
drupal/drupalcomposer>= 8.7.0, < 8.7.18.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper path handling in the PharStreamWrapper's Helper class. The TYPO3 advisory explicitly references an example where 'phar:///path/bad.phar/../good.phar' is incorrectly resolved to '/path/good.phar', bypassing checks. The determineBaseFile() and getCanonicalPath() functions are directly responsible for path resolution and canonicalization. The patches in versions 2.1.1/3.1.1 addressed these functions, confirming their role in the vulnerability. The CWE-22 (Path Traversal) mapping aligns with the flawed path resolution mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** P**rStr**mWr*pp*r (*k* p**r-str**m-wr*pp*r) p**k*** *.x ***or* *.*.* *n* *.x ***or* *.*.* *or TYPO* *o*s not pr*v*nt *ir**tory tr*v*rs*l, w*i** *llows *tt**k*rs to *yp*ss * **s*ri*liz*tion prot**tion m****nism, *s **monstr*t** *y * p**r:///p*t*/*

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* **n*lin* in t** `P**rStr**mWr*pp*r`'s **lp*r *l*ss. T** TYPO* **visory *xpli*itly r***r*n**s *n *x*mpl* w**r* 'p**r:///p*t*/***.p**r/../*oo*.p**r' is in*orr**tly r*solv** to '/p*t*/*oo*.p**r', *yp*ssin* ****