Open source bug poses threat to sites running multiple CMSes

by
Dan Goodin
from Ars Technica - All content on (#4ETHG)
hacked-640x438.jpg

(credit: Pixabay)

Websites running the Drupal, Joomla, or Typo3 content-management systems are vulnerable to attacks that could possibly execute malicious code until administrators install just-released patches, developers and security researchers warned.

The vulnerability resides in the PharStreamWrapper, a PHP component developed and open-sourced by CMS maker Typo3. Indexed as CVE-2019-11831, the flaw stems from a path-traversal bug that allows hackers to swap a site's legitimate phar archive with a malicious one. A phar archive is used to distribute a complete PHP application or library in a single file, in much the way a Java archive file bundles many Java files into a single file.

In an advisory published Wednesday, Drupal developers rated the severity of the vulnerability affecting their CMS as moderately critical. That's well below the highly critical rating of a recent Drupal vulnerability and earlier remote-execution flaws that took on the name "Drupalgeddon." Still, the vulnerability represents enough of a risk that administrators should patch it as soon as possible.

Read 8 remaining paragraphs | Comments

index?i=_tltjW6qeJI:StxYnqMFEuU:V_sGLiPB index?i=_tltjW6qeJI:StxYnqMFEuU:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments