Hello, welcome to the Monday, January 21st, 2019 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Still running a website using Truple? Well, it's time to patch again. This latest update addresses two different

vulnerabilities. Now, the first off, these vulnerabilities really fixes a bug in the external

tar library. This vulnerability could be exploited to override files on the system, and in

some cases, based on the files the attacker can

override it could lead to arbitrary code execution.

Now TAR of course is a tool that packs various files into an archive when they're untarred

as it's often called then of course there is a risk that file names inside the

TAR archive are being used to override files on the system and probably we're talking

about a similar issue here where you can somehow bypass some of the file name validation

being done.

Now the second issue deals with PHP stream wrappers, and that has been an issue that has led

to a lot of problems in the past.

In PHP, not all URLs already created equal.

There are some special URLs, these stream wrappers, and in that case, the URL itself is actually

then, for example, treated as a file or as code, and that can lead to problems.

So in this particular case, if the URL starts with PHAR or FAR, that means that the remainder of the URL is really a PHP code archive and that

could be executed. Now the problem of course is that as a software like in this case

triple accept URLs from users they have to make sure it's not one of these special

stream URLs and so far

PHP has not considered far stream wrappers as dangerous which led to this arbitrary code

...