Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.10.13

Bug #21171 PECL Arbitrary File Download Vulnerability
Submitted: 2017-01-26 03:10 UTC
From: hyp3rlinx Assigned:
Status: Open Package: PEAR (version 1.10.1)
PHP Version: 5.6.30 OS:
Roadmaps: (Not assigned)    
Comments Add Comment Add patch

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem : 49 - 27 = ?

 [2017-01-26 03:10 UTC] hyp3rlinx (John Page)
Description: ------------ I sent initial report Jan 11, 2017, was informed to open a bug so users are aware, as nobody is avail to "fix" or maintain this package. Security issue: pecl download <http://file> 1) PECL will follow redirects and download arbitrary files with completely different names of the initially requested target file (when files are sent in response from an attacker controlled position). 2) PECL does not rename the file to the originally requested (safe) filename. 3) Whatever file is downloaded will overwrite whats on users system, so attacker can overwrite files like ".htaccess" if request is from webroot etc.. 4) PECL doesn't delete these invalid files on downloads. Regards, hyp3rlinx