Phar unserialization vulnerability. #167
Labels
Comments
|
Fixed by #173. Users are encouraged to update to either v1.6.0 or newer, at which point, it should be safe to enable archive checking again. |
|
Hello, we're investigating the issue reports in security. Since we observed that this issue may relate to a potential vulnerability, has it been disclosed in CVE already? Hope to receive your reply. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An unserialization vulnerability was recently discovered which affects the phar wrapper. Due to that phpMussel implements the phar wrapper for reading archives, this vulnerability also currently affects all currently supported versions of phpMussel to the extent of its ability to read archives.
I would strongly recommend that all phpMussel users disable archive checking in phpMussel until further notice. This can be achieved by setting
check_archivestofalsein the phpMussel configuration (at which point, phpMussel would be unable to scan the content of archives, but would also be protected from this vulnerability).Currently planning exactly how to resolve this problem for phpMussel, but it'll most likely involve a complete overhaul of how phpMussel handles archives, and involve completely ditching the phar wrapper in favour of something else. Anyway, I'll reply here with any relevant updates that happen, new information, etc, and announce here when the problem is resolved.
The text was updated successfully, but these errors were encountered: