Directory traversal vulnerability in the installer in PEAR 1.0 through 1.5.3 allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in the (1) install-as attribute in the file element in package.xml 1.0 or the (2) as attribute in the install element in package.xml 2.0. NOTE: it could be argued that this does not cross privilege boundaries in typical installations, since the code being installed could perform the same actions.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Pear | Php_group | 1.0 (including) | 1.0 (including) |
| Pear | Php_group | 1.0.1 (including) | 1.0.1 (including) |
| Pear | Php_group | 1.1 (including) | 1.1 (including) |
| Pear | Php_group | 1.2 (including) | 1.2 (including) |
| Pear | Php_group | 1.2.1 (including) | 1.2.1 (including) |
| Pear | Php_group | 1.2b1 (including) | 1.2b1 (including) |
| Pear | Php_group | 1.2b2 (including) | 1.2b2 (including) |
| Pear | Php_group | 1.2b3 (including) | 1.2b3 (including) |
| Pear | Php_group | 1.2b4 (including) | 1.2b4 (including) |
| Pear | Php_group | 1.2b5 (including) | 1.2b5 (including) |
| Pear | Php_group | 1.3 (including) | 1.3 (including) |
| Pear | Php_group | 1.3.1 (including) | 1.3.1 (including) |
| Pear | Php_group | 1.3.3 (including) | 1.3.3 (including) |
| Pear | Php_group | 1.3.3.1 (including) | 1.3.3.1 (including) |
| Pear | Php_group | 1.3.4 (including) | 1.3.4 (including) |
| Pear | Php_group | 1.3.5 (including) | 1.3.5 (including) |
| Pear | Php_group | 1.3.6 (including) | 1.3.6 (including) |
| Pear | Php_group | 1.3b1 (including) | 1.3b1 (including) |
| Pear | Php_group | 1.3b2 (including) | 1.3b2 (including) |
| Pear | Php_group | 1.3b3 (including) | 1.3b3 (including) |
| Pear | Php_group | 1.3b5 (including) | 1.3b5 (including) |
| Pear | Php_group | 1.3b6 (including) | 1.3b6 (including) |
| Pear | Php_group | 1.4.0 (including) | 1.4.0 (including) |
| Pear | Php_group | 1.4.0a1 (including) | 1.4.0a1 (including) |
| Pear | Php_group | 1.4.0a2 (including) | 1.4.0a2 (including) |
| Pear | Php_group | 1.4.0a3 (including) | 1.4.0a3 (including) |
| Pear | Php_group | 1.4.0a4 (including) | 1.4.0a4 (including) |
| Pear | Php_group | 1.4.0a5 (including) | 1.4.0a5 (including) |
| Pear | Php_group | 1.4.0a6 (including) | 1.4.0a6 (including) |
| Pear | Php_group | 1.4.0a7 (including) | 1.4.0a7 (including) |
| Pear | Php_group | 1.4.0a8 (including) | 1.4.0a8 (including) |
| Pear | Php_group | 1.4.0a9 (including) | 1.4.0a9 (including) |
| Pear | Php_group | 1.4.0a10 (including) | 1.4.0a10 (including) |
| Pear | Php_group | 1.4.0a11 (including) | 1.4.0a11 (including) |
| Pear | Php_group | 1.4.0a12 (including) | 1.4.0a12 (including) |
| Pear | Php_group | 1.4.0b1 (including) | 1.4.0b1 (including) |
| Pear | Php_group | 1.4.0b2 (including) | 1.4.0b2 (including) |
| Pear | Php_group | 1.4.0rc1 (including) | 1.4.0rc1 (including) |
| Pear | Php_group | 1.4.0rc2 (including) | 1.4.0rc2 (including) |
| Pear | Php_group | 1.4.1 (including) | 1.4.1 (including) |
| Pear | Php_group | 1.4.2 (including) | 1.4.2 (including) |
| Pear | Php_group | 1.4.3 (including) | 1.4.3 (including) |
| Pear | Php_group | 1.4.4 (including) | 1.4.4 (including) |
| Pear | Php_group | 1.4.5 (including) | 1.4.5 (including) |
| Pear | Php_group | 1.4.6 (including) | 1.4.6 (including) |
| Pear | Php_group | 1.4.7 (including) | 1.4.7 (including) |
| Pear | Php_group | 1.4.8 (including) | 1.4.8 (including) |
| Pear | Php_group | 1.4.9 (including) | 1.4.9 (including) |
| Pear | Php_group | 1.4.10 (including) | 1.4.10 (including) |
| Pear | Php_group | 1.4.10rc1 (including) | 1.4.10rc1 (including) |
| Pear | Php_group | 1.4.11 (including) | 1.4.11 (including) |
| Pear | Php_group | 1.5.0 (including) | 1.5.0 (including) |
| Pear | Php_group | 1.5.0a1 (including) | 1.5.0a1 (including) |
| Pear | Php_group | 1.5.0rc1 (including) | 1.5.0rc1 (including) |
| Pear | Php_group | 1.5.0rc2 (including) | 1.5.0rc2 (including) |
| Pear | Php_group | 1.5.0rc3 (including) | 1.5.0rc3 (including) |
| Pear | Php_group | 1.5.1 (including) | 1.5.1 (including) |
| Pear | Php_group | 1.5.2 (including) | 1.5.2 (including) |
| Pear | Php_group | 1.5.3 (including) | 1.5.3 (including) |
| Php5 | Ubuntu | dapper | * |
| Php5 | Ubuntu | edgy | * |
| Php5 | Ubuntu | feisty | * |
| Php5 | Ubuntu | upstream | * |
References
- http://osvdb.org/42108
- http://pear.php.net/advisory-20070507.txt
- http://pear.php.net/news/vulnerability2.php
- http://secunia.com/advisories/25372
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:110
- http://www.securityfocus.com/bid/24111
- http://www.ubuntu.com/usn/usn-462-1
- http://www.vupen.com/english/advisories/2007/1926
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34482
- http://osvdb.org/42108
- http://pear.php.net/advisory-20070507.txt
- http://pear.php.net/news/vulnerability2.php
- http://secunia.com/advisories/25372
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:110
- http://www.securityfocus.com/bid/24111
- http://www.ubuntu.com/usn/usn-462-1
- http://www.vupen.com/english/advisories/2007/1926
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34482