The first vulnerability could be exploited by a remote attacker to execute arbitrary PHP code. The flaw resides in the
“A remote code execution vulnerability exists in PHP’s built-in
“Some Drupal code (core,
The development team marked .phar as a potentially dangerous extension, this means that .phar files uploaded to a website running on the popular CMS will be automatically converted to .txt to prevent malicious execution.
Note that the replacement stream wrapper is not compatible with PHP versions lower than 5.3.3.
The development team has disabled the
“Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require
The second flaw affects the PEAR Archive_Tar, a third-party library that handles .tar files in PHP. An attacker could use a specially crafted .tar file to delete arbitrary files on the system and possibly even execute remote code.
“Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.” reads the security advisory.
The development team behind the Archive_Tar have patched flaw and released the update it in the core of the CMS.
Drupal 8.6.6, 8.5.9 and 7.62 patch both flaws, experts highlighted that Drupal 8 versions prior to 8.5.x will no longer receive security updates because they have reached the
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.