CVE-2019-11831 – This vulnerability in PharStreamWrapper allows ... (How to Fix)

Q: What is the severity of CVE-2019-11831?

CVE-2019-11831 has a CVSS score of 9.8 (CRITICAL). This vulnerability in PharStreamWrapper allows attackers to bypass directory traversal protections in TYPO3's phar:// stream wrapper. By using specially crafted URLs like phar:///path/bad.phar/../good.phar, attackers can circumvent deserialization safeguards, potentially leading to remote code execution. This affects TYPO3 installations using vulnerable versions of the phar-stream-wrapper package.

📋 TL;DR

This vulnerability in PharStreamWrapper allows attackers to bypass directory traversal protections in TYPO3's phar:// stream wrapper. By using specially crafted URLs like phar:///path/bad.phar/../good.phar, attackers can circumvent deserialization safeguards, potentially leading to remote code execution. This affects TYPO3 installations using vulnerable versions of the phar-stream-wrapper package.

💻 Affected Systems

Products:

TYPO3 CMS
TYPO3 phar-stream-wrapper package

Versions: phar-stream-wrapper 2.x before 2.1.1, 3.x before 3.1.1

Operating Systems: All platforms running affected TYPO3 versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any TYPO3 installation using phar:// URLs with the vulnerable wrapper is affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Arbitrary file read/write, privilege escalation, or deserialization attacks leading to application compromise.

🟢

If Mitigated

Limited impact with proper input validation and file system permissions in place.

🌐 Internet-Facing: HIGH - Web applications using TYPO3 with vulnerable phar-stream-wrapper are directly exposed.

🏢 Internal Only: MEDIUM - Internal applications still vulnerable but with reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept demonstrated in advisory; exploitation requires ability to upload or reference phar files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: phar-stream-wrapper v2.1.1 or v3.1.1

Vendor Advisory: https://github.com/TYPO3/phar-stream-wrapper/releases

Restart Required: No

Instructions:

1. Update phar-stream-wrapper package to v2.1.1 (for 2.x) or v3.1.1 (for 3.x). 2. Update TYPO3 CMS if it bundles the vulnerable package. 3. Verify no regressions in phar:// stream functionality.

🔧 Temporary Workarounds

Disable phar:// wrapper

all

Temporarily disable the phar:// stream wrapper in PHP configuration

php -d phar.readonly=1
Add 'phar.readonly = 1' to php.ini

Input validation filter

all

Implement strict input validation to reject phar:// URLs with directory traversal patterns

🧯 If You Can't Patch

Implement web application firewall rules to block phar:// URLs with traversal sequences
Restrict file upload capabilities and monitor for suspicious phar file usage

🔍 How to Verify

Check if Vulnerable:

Check composer.json or package version: composer show typo3/phar-stream-wrapper

Check Version:

composer show typo3/phar-stream-wrapper | grep version

Verify Fix Applied:

Verify installed version is 2.1.1+ or 3.1.1+: composer show typo3/phar-stream-wrapper | grep version

📡 Detection & Monitoring

Log Indicators:

phar:// URLs with ../ sequences in access logs
Unexpected file operations via phar wrapper

Network Indicators:

HTTP requests containing phar:// paths with traversal patterns

SIEM Query:

web_access_logs WHERE url CONTAINS 'phar://' AND url CONTAINS '../'

📊 Metadata

CVE ID: CVE-2019-11831

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: May 9, 2019

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/108302 Third Party Advisory,VDB Entry
https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1 Release Notes,Third Party Advisory
https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/
https://seclists.org/bugtraq/2019/May/36 Issue Tracking,Mailing List,Third Party Advisory
https://typo3.org/security/advisory/typo3-psa-2019-007/ Vendor Advisory
https://www.debian.org/security/2019/dsa-4445 Third Party Advisory
https://www.drupal.org/sa-core-2019-007 Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_19_22 Third Party Advisory
http://www.securityfocus.com/bid/108302 Third Party Advisory,VDB Entry
https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1 Release Notes,Third Party Advisory
https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/
https://seclists.org/bugtraq/2019/May/36 Issue Tracking,Mailing List,Third Party Advisory
https://typo3.org/security/advisory/typo3-psa-2019-007/ Vendor Advisory
https://www.debian.org/security/2019/dsa-4445 Third Party Advisory
https://www.drupal.org/sa-core-2019-007 Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_19_22 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-11831, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Drupal by Drupal

Drupal by Drupal

Drupal by Drupal

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Joomla\! by Joomla

Pharstreamwrapper by Typo3

Pharstreamwrapper by Typo3

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable phar:// wrapper

Input validation filter

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities