-
-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Phar unserialization vulnerability. #167
Labels
Comments
Fixed by #173. Users are encouraged to update to either v1.6.0 or newer, at which point, it should be safe to enable archive checking again. |
Hello, we're investigating the issue reports in security. Since we observed that this issue may relate to a potential vulnerability, has it been disclosed in CVE already? Hope to receive your reply. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An unserialization vulnerability was recently discovered which affects the phar wrapper. Due to that phpMussel implements the phar wrapper for reading archives, this vulnerability also currently affects all currently supported versions of phpMussel to the extent of its ability to read archives.
I would strongly recommend that all phpMussel users disable archive checking in phpMussel until further notice. This can be achieved by setting
check_archives
tofalse
in the phpMussel configuration (at which point, phpMussel would be unable to scan the content of archives, but would also be protected from this vulnerability).Currently planning exactly how to resolve this problem for phpMussel, but it'll most likely involve a complete overhaul of how phpMussel handles archives, and involve completely ditching the phar wrapper in favour of something else. Anyway, I'll reply here with any relevant updates that happen, new information, etc, and announce here when the problem is resolved.
The text was updated successfully, but these errors were encountered: