CVE-2020-28948
📋 TL;DR
CVE-2020-28948 is a deserialization vulnerability in Archive_Tar that allows attackers to execute arbitrary code via PHAR archive exploitation. The vulnerability exists because the library blocks 'phar:' protocol but not 'PHAR:' (uppercase), enabling case-sensitive bypass. Any PHP application using Archive_Tar version 1.4.10 or earlier is affected.
💻 Affected Systems
- Archive_Tar (PEAR package)
📦 What is this software?
Drupal by Drupal
Drupal by Drupal
Drupal by Drupal
Drupal by Drupal
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Arbitrary code execution with the privileges of the web server process, potentially allowing file system access and further exploitation.
If Mitigated
Limited impact if proper input validation and file upload restrictions are in place, though deserialization risks remain.
🎯 Exploit Status
Exploitation requires the ability to upload or provide a malicious PHAR archive to the vulnerable application. The vulnerability is well-documented with public proof-of-concept code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Archive_Tar 1.4.11 and later
Vendor Advisory: https://github.com/pear/Archive_Tar/issues/33
Restart Required: No
Instructions:
1. Update Archive_Tar to version 1.4.11 or later using your package manager (e.g., 'pear upgrade Archive_Tar'). 2. If using Composer, update your composer.json to require 'pear/archive_tar: ^1.4.11' and run 'composer update'. 3. Verify the update by checking the Archive_Tar version in your application.
🔧 Temporary Workarounds
Input Validation Filter
allBlock all uppercase variations of 'phar:' protocol in archive extraction functions
// PHP code snippet to add to archive processing:
if (stripos($archive_path, 'phar:') !== false) {
throw new Exception('PHAR protocol not allowed');
}
Disable PHAR Deserialization
allConfigure PHP to disable PHAR deserialization via php.ini settings
phar.readonly = 1
phar.require_hash = 1
🧯 If You Can't Patch
- Implement strict file upload validation: only allow specific archive formats (zip, tar) and scan for malicious content
- Run Archive_Tar in a restricted environment with limited filesystem access and disable dangerous PHP functions
🔍 How to Verify
Check if Vulnerable:
Check your Archive_Tar version. If using Composer: 'composer show pear/archive_tar'. If using PEAR: 'pear list Archive_Tar'. If version is 1.4.10 or earlier, you are vulnerable.Check Version:
php -r "require_once 'Archive/Tar.php'; echo 'Archive_Tar version: ' . Archive_Tar::VERSION;"Verify Fix Applied:
After updating, verify the version is 1.4.11 or later. Test archive extraction with a safe test file to ensure functionality remains.📡 Detection & Monitoring
Log Indicators:
- Unusual archive extraction attempts with uppercase PHAR protocol
- Errors from Archive_Tar when processing archives
- Unexpected file writes or code execution following archive processing
Network Indicators:
- Uploads of archive files to web applications, particularly with unusual filenames or extensions
SIEM Query:
source=web_logs (archive OR tar OR extract) AND (error OR exception) AND (phar OR PHAR)🔗 References
- https://github.com/pear/Archive_Tar/issues/33
- https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/
- https://security.gentoo.org/glsa/202101-23
- https://www.debian.org/security/2020/dsa-4817
- https://www.drupal.org/sa-core-2020-013
- https://github.com/pear/Archive_Tar/issues/33
- https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/
- https://security.gentoo.org/glsa/202101-23
- https://www.debian.org/security/2020/dsa-4817
- https://www.drupal.org/sa-core-2020-013
