CVE-2020-28948 Overview
CVE-2020-28948 is an insecure deserialization vulnerability in PHP's Archive_Tar library through version 1.4.10. The vulnerability exists because the library's security filter blocks the phar: stream wrapper in lowercase but fails to block the uppercase PHAR: variant. This case-sensitivity bypass allows attackers to trigger PHP object unserialization when processing specially crafted archive files, potentially leading to arbitrary code execution.
Critical Impact
Attackers can exploit this case-sensitivity bypass to achieve arbitrary code execution through PHP object injection, affecting widely-deployed systems including Drupal CMS installations.
Affected Products
- PHP Archive_Tar through version 1.4.10
- Drupal CMS (multiple versions)
- Debian Linux 9.0 and 10.0
- Fedora 32, 33, 34, and 35
Discovery Timeline
- November 19, 2020 - CVE-2020-28948 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-28948
Vulnerability Analysis
The Archive_Tar library is a widely-used PHP package for handling TAR archive files. This vulnerability stems from an incomplete security control implementation designed to prevent PHAR (PHP Archive) deserialization attacks. PHP's phar: stream wrapper can be exploited to trigger unserialize() calls when processing file paths, which can lead to arbitrary object instantiation and code execution through gadget chains.
The library's developers implemented a blocklist approach to prevent the use of phar: within archive file paths. However, the implementation only checks for the lowercase phar: string while PHP's stream wrapper handling is case-insensitive. This means that variations such as PHAR:, Phar:, or any other case combination successfully bypass the security filter while still being processed by PHP's stream wrapper.
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and affects any application that uses Archive_Tar to process user-supplied TAR files. The impact is particularly severe for content management systems like Drupal, where file uploads are common functionality.
Root Cause
The root cause is an incomplete blocklist implementation that performs a case-sensitive comparison against the phar: stream wrapper. PHP stream wrappers are case-insensitive, meaning PHAR://, phar://, and PhAr:// are all functionally equivalent. By only blocking the lowercase variant, the security measure can be trivially bypassed by using any alternative case combination.
Attack Vector
Exploitation requires local access with user interaction - specifically, a victim must process a maliciously crafted TAR archive using the vulnerable Archive_Tar library. The attacker constructs a TAR archive containing file entries with paths that reference the PHAR: stream wrapper (or other case variations). When the Archive_Tar library processes these paths, it bypasses the lowercase phar: check, and PHP's stream wrapper handling triggers deserialization of the PHAR archive's metadata.
The attack typically involves:
- Creating a PHAR archive with a malicious serialized object in its metadata
- Embedding a reference to this PHAR within a TAR archive using an uppercase PHAR: path
- Having the victim application process the TAR archive using Archive_Tar
- The deserialization triggers available gadget chains in the application, leading to code execution
Detection Methods for CVE-2020-28948
Indicators of Compromise
- TAR archives containing file paths with case-variant PHAR: references (e.g., PHAR://, Phar://, pHaR://)
- Unusual PHP deserialization errors in application logs following TAR file processing
- Unexpected code execution or process spawning from web application processes
Detection Strategies
- Implement file upload scanning to detect TAR archives containing PHAR stream wrapper references in any case variation
- Monitor application logs for deserialization exceptions and errors during archive extraction operations
- Deploy web application firewall (WAF) rules to inspect uploaded archives for malicious path entries
- Use SentinelOne's behavioral analysis to detect anomalous process execution following web application file handling
Monitoring Recommendations
- Enable verbose logging for applications processing user-uploaded TAR archives
- Monitor for unusual file system access patterns from PHP processes, particularly PHAR file reads
- Alert on Archive_Tar library usage in conjunction with user-supplied file processing
How to Mitigate CVE-2020-28948
Immediate Actions Required
- Upgrade PHP Archive_Tar to version 1.4.11 or later which implements case-insensitive blocking
- Update Drupal installations to patched versions as specified in Drupal Security Advisory SA-CORE-2020-013
- Apply operating system package updates for affected Debian and Fedora systems
- Review application code for direct Archive_Tar usage and ensure updated library versions are deployed
Patch Information
Security patches addressing this vulnerability are available from multiple sources. The primary fix is in Archive_Tar version 1.4.11 and later, which implements case-insensitive stream wrapper blocking. For detailed information, refer to the GitHub Archive_Tar Issue.
Distribution-specific updates are available:
- Debian Security Announcement DSA-4817
- Debian LTS Security Announcement
- Gentoo GLSA 2021-23
- Fedora package announcements for versions 32, 33, 34, and 35
Workarounds
- Disable PHP's PHAR stream wrapper globally if not required by your application using stream_wrapper_unregister('phar')
- Implement input validation to reject TAR archives containing stream wrapper references in file paths
- Restrict file upload functionality to authenticated and trusted users only
- Deploy application-level filtering that performs case-insensitive checks for all PHP stream wrapper schemes
# Disable PHAR stream wrapper in PHP configuration (php.ini)
# Add to php.ini or include in your application's bootstrap
# Note: This may break applications that legitimately use PHAR archives
php -r "stream_wrapper_unregister('phar');"
# Alternatively, add to your PHP application initialization:
# if (in_array('phar', stream_get_wrappers())) {
# stream_wrapper_unregister('phar');
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
