Warning over open-source bug affecting Drupal, Joomla and Typo3 CMS platforms

Run Drupal, Joomla or Typo3? Newly identified vulnerability could facilitate remote code execution attacks

Drupal, Joomla and Typo3 content management systems have been left exposed to cyber attack as a result of a recently discovered open-source bug.

The vulnerability, codenamed CVE-2019-11831, is based in the PharStreamWrapper open-source PHP component developed by CMS firm Typo3.

This flaw has been caused by a path-traversal bug, enabling attackers to take control of the original Phar archive and replace it with a malicious version.

As PHP.net explains, these archives are used "to distribute a complete PHP application or library in a single file" and used "exactly like any other PHP application".

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

The National Institute of Standards and Technology wrote: "The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL."

On Wednesday, Drupal published a security advisory rating the vulnerability "moderately critical". The CMS maker said the vulnerability affects third-party libraries in its platform.

"In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling," said the firm.

"The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file."

To mitigate the flaw, Drupal advised:

Joomla has also published a security announcement, explaining: "In Joomla 3.9.3, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the Joomla core.

"In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling.

"The used implementation however is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file."

According to Joomla, the flaw affects CMS versions 3.9.3 through to 3.9.5. It recommends that users upgrade to version 3.9.6 as soon as possible.

Meanwhile, users of the Typo3 CMS are being advised to upgrade to PharStreamWapper versions v3.1.1 and v2.1.1 in order to eradicate the flaw.

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast