[3.9] drupal7: TYP03 does not prevent directory traversal resulting in bypass of deserialization of protection mechanism in phar-stream-wrapper (CVE-2019-11831)
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1
and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal,
which allows attackers
to bypass a deserialization protection mechanism, as demonstrated by a
phar:///path/bad.phar/../good.phar URL.
Fixed In Version:
drupal 7.67
References:
https://www.drupal.org/sa-core-2019-007
https://typo3.org/security/advisory/typo3-psa-2019-007/
(from redmine: issue id 10515, created on 2019-05-30, closed on 2019-06-05)
- Changesets:
- Revision 22588a32 by Natanael Copa on 2019-06-05T07:51:45Z:
community/drupal7: security upgrade to 7.67 (CVE-2019-11831)
fixes #10515
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information