Open source bug poses threat to sites running multiple CMSes

Open source bug poses threat to sites running multiple CMSes

(credit: Pixabay)

Websites running the Drupal, Joomla, or Typo3 content-management systems are vulnerable to attacks that could possibly execute malicious code until administrators install just-released patches, developers and security researchers warned.

The vulnerability resides in the PharStreamWrapper, a PHP component developed and open-sourced by CMS maker Typo3. Indexed as CVE-2019-11831, the flaw stems from a path-traversal bug that allows hackers to swap a site’s legitimate phar archive with a malicious one. A phar archive is used to distribute a complete PHP application or library in a single file, in much the way a Java archive file bundles many Java files into a single file.

In an advisory published Wednesday, Drupal developers rated the severity of the vulnerability affecting their CMS as moderately critical. That’s well below the highly critical rating of a recent Drupal vulnerability and earlier remote-execution flaws that took on the name “Drupalgeddon.” Still, the

Read the rest