The first vulnerability could be exploited by a remote attacker to execute arbitrary PHP code. The flaw resides in the
“A remote code execution vulnerability exists in PHP’s built-in
“Some Drupal code (core,
The development team marked .phar as a potentially dangerous extension, this means that .phar files uploaded to a website running on the popular CMS will be automatically converted to .txt to prevent malicious execution.
Note that the replacement stream wrapper is not compatible with PHP versions lower than 5.3.3.
The development team has disabled the
“Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require
The second flaw affects the PEAR Archive_Tar, a third-party library that handles .tar files in PHP. An attacker could use a specially crafted .tar file to delete arbitrary files on the system and possibly even execute remote code.
“Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.” reads the security advisory.
The development team behind the Archive_Tar have patched flaw and released the update it in the core of the CMS.
Drupal 8.6.6, 8.5.9 and 7.62 patch both flaws, experts highlighted that Drupal 8 versions prior to 8.5.x will no longer receive security updates because they have reached the