Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.10.9

Bug #21171 PECL Arbitrary File Download Vulnerability
Submitted: 2017-01-26 03:10 UTC
From: hyp3rlinx Assigned:
Status: Open Package: PEAR (version 1.10.1)
PHP Version: 5.6.30 OS:
Roadmaps: (Not assigned)    
Subscription  


 [2017-01-26 03:10 UTC] hyp3rlinx (John Page)
Description: ------------ I sent initial report Jan 11, 2017, was informed to open a bug so users are aware, as nobody is avail to "fix" or maintain this package. Security issue: pecl download <http://file> 1) PECL will follow redirects and download arbitrary files with completely different names of the initially requested target file (when files are sent in response from an attacker controlled position). 2) PECL does not rename the file to the originally requested (safe) filename. 3) Whatever file is downloaded will overwrite whats on users system, so attacker can overwrite files like ".htaccess" if request is from webroot etc.. 4) PECL doesn't delete these invalid files on downloads. Regards, hyp3rlinx

Comments