ASA-2019-00081 – Joomla: Implement the TYPO3 PHAR stream wrapper


Allele Security Alert

ASA-2019-00081

Identifier(s)

ASA-2019-00081, CVE-2019-7743

Title

Implement the TYPO3 PHAR stream wrapper

Vendor(s)

Open Source Matters, Inc

Product(s)

Joomla

Affected version(s)

Joomla 2.5.0 through 3.9.2

Fixed version(s)

Joomla 3.9.3

Proof of concept

Unknown

Description

The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.

Technical details

Unknown

Credits

David Jardin (JSST)

Reference(s)

Security Announcements
https://developer.joomla.org/security-centre.html

CVE-2019-7743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7743

CVE-2019-7743
https://nvd.nist.gov/vuln/detail/CVE-2019-7743

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 13, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.