Drupal has released a moderately critical security update for both Drupal 8 (versions 8.6.16 & 8.7.1) and Drupal 7 (version 7.67). This security release fixes third-party dependencies included in or required by Drupal core. It has been discovered that the protection against insecure deserialization can be by-passed in Phar Stream Wrapper component.
In order to intercept file invocations like file_exists or stat on compromised PHAR files, the base name has to be determined and checked before allowing it to be handled by PHP PHAR stream handling. The current implementation is vulnerable to path traversal leading to scenarios where the PHAR file to be assessed is not the actual (compromised) file.
What is a PHAR file and how is it used?
In software, a PHAR (PHP Archive) file is a package format to enable distribution of applications and libraries by bundling many PHP code files and other resources (e.g. images, style sheets, scripts etc.) into a single archive file. PHAR files may be in one of three formats: tar, and ZIP, which are compatible with their respective tooling, and a custom PHAR format. Drupal uses third-party dependencies to create, extract and manage PHAR files within its core functionality.
To mitigate the vulnerability that has been identified, all Drupal 7 & 8 websites should be updated to the latest version of Drupal.
All Drupal 7 & 8 websites that are hosted with Enrega will be updated by our support team. For more information about the update process, please see our security updates for your website page.
If you have a shared hosting account, you can see our progress by following our support team on Twitter. If you have a custom website that is not in shared hosting, we'll let you know by email when we're done.