BID:24111

PHP PEAR INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability

Info

PHP PEAR INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability

Bugtraq ID:	24111
Class:	Input Validation Error
CVE:	CVE-2007-2519
Remote:	Yes
Local:	No
Published:	May 07 2007 12:00AM
Updated:	Jun 05 2007 09:20AM
Credit:	Gregory Beaver [[email protected]] discovered this issue.
Vulnerable:	Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 PEAR PEAR 1.5.3 PEAR PEAR 1.4.3 PEAR PEAR 1.4.2 PEAR PEAR 1.4.1 PEAR PEAR 1.4 PEAR PEAR 1.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0

Not Vulnerable:	PEAR PEAR 1.5.4

Discussion

PHP PEAR INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability

PEAR is prone to a vulnerability that lets attackers overwrite arbitrary files.

An attacker-supplied package may supply directory-traversal strings through the 'install-as' attribute to create and overwrite files in arbitrary locations.

This issue affects PEAR 1.0 to 1.5.3.

Exploit / POC

PHP PEAR INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability

An exploit is not required. A proof of concept is available.

/data/vulnerabilities/exploits/PEAR_poc.txt

Solution / Fix

PHP PEAR INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability

Solution:
The vendor has released PEAR 1.5.4 to address this issue. Please see the references for more information.

PEAR PEAR 1.0

PEAR PEAR-1.5.4.tgz
http://download.pear.php.net/package/PEAR-1.5.4.tgz

PEAR PEAR 1.4

PEAR PEAR-1.5.4.tgz
http://download.pear.php.net/package/PEAR-1.5.4.tgz

PEAR PEAR 1.4.1

PEAR PEAR-1.5.4.tgz
http://download.pear.php.net/package/PEAR-1.5.4.tgz

PEAR PEAR 1.4.2

PEAR PEAR-1.5.4.tgz
http://download.pear.php.net/package/PEAR-1.5.4.tgz

PEAR PEAR 1.4.3

PEAR PEAR-1.5.4.tgz
http://download.pear.php.net/package/PEAR-1.5.4.tgz

PEAR PEAR 1.5.3

PEAR PEAR-1.5.4.tgz
http://download.pear.php.net/package/PEAR-1.5.4.tgz

References

PHP PEAR INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability

References:

Arbitrary File Overwrite Vulnerability in the PEAR Installer (PEAR)
PEAR Home Page (PEAR)
PEAR installer arbitrary code execution vulnerability (Gregory Beaver [[email protected]])
USN-462-1 - php5 vulnerabilities (Ubuntu)