Allele Security Alert
ASA-2019-00015, SA-CORE-2019-002, CVE-2019-6339
Arbitrary PHP code execution
Drupal 8.6.x before 8.6.6
Drupal 8.5.x before 8.5.9
Drupal 7.x before 7.62
Proof of concept
A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.
Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.
Greg Knaddison (Drupal Security Team)
Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2019-002
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019