Vulnerability in PHP component threatens sites on Drupal, Joomla and Typo3

Web sites based on Drupal, Joomla and Typo3 content management systems are vulnerable to the execution of malicious code. The vulnerability affects the open source PharStreamWrapper PHP component developed by Typo3.

CVE-2019-11831 is a directory traversal vulnerability (path-traversal) that allows you to replace a legitimate phar archive of the site with a malicious one. A phar archive is used to store a PHP application or library in a single file.

The problem was discovered by security researcher Daniel le Gall. According to him, vulnerability is critical, however, in Drupal, it is marked as "medium critical". CVE-2019-11831 is not as dangerous as, for example, discovered in February by CVE-2019-6340, and, of course, it is far from the notorious Drupalgeddon. Joomla developers have completely rated the vulnerability as low. Nevertheless, the problem poses a threat to the security of sites, and administrators are strongly recommended to install updates, I'm sure Le Gall.

Drupal 8.7 needs to be upgraded to 8.7.1, Drupal 8.6 and earlier versions - up to 8.6.16, and Drupal 7 - to 7.67. In the case of Joomla, the vulnerability affects all versions from 3.9.3 to 3.9.5 inclusive. The fix is available in version 3.9.6.

Site administrators running Typo3 should either manually upgrade PharStreamWapper to v3.1.1 and v2.1.1, or make sure that Composer dependencies have been raised to these versions.