CVE-2020-28949 Overview
CVE-2020-28949 is a path traversal and arbitrary file write vulnerability in PHP's PEAR Archive_Tar library through version 1.4.10. The library implements incomplete filename sanitization that only blocks phar:// stream wrapper attacks, leaving the application vulnerable to other PHP stream wrapper exploits such as file:// which can be leveraged to overwrite arbitrary files on the target system.
Critical Impact
This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Attackers can craft malicious TAR archives that overwrite critical system files when extracted, potentially leading to remote code execution on vulnerable systems including Drupal installations.
Affected Products
- PHP Archive_Tar through version 1.4.10
- Drupal (multiple versions)
- Debian Linux 9.0 and 10.0
- Fedora 32, 33, 34, and 35
Discovery Timeline
- 2020-11-19 - CVE-2020-28949 published to NVD
- 2025-11-07 - Last updated in NVD database
Technical Details for CVE-2020-28949
Vulnerability Analysis
The vulnerability exists in the Archive_Tar library's file extraction routine. When the library was originally patched to prevent phar deserialization attacks (CVE-2020-28948), the developers implemented filename sanitization that specifically targeted the phar:// stream wrapper. However, this fix was incomplete as PHP supports multiple stream wrappers that can be abused for malicious purposes.
The flaw allows an attacker to create a specially crafted TAR archive containing filenames that use alternative PHP stream wrappers such as file://, php://, or data://. When the archive is extracted by a vulnerable application, these stream wrapper paths are processed, enabling arbitrary file writes to locations outside the intended extraction directory.
This vulnerability is particularly dangerous in web application contexts, especially Drupal installations, where uploaded TAR archives may be processed automatically. An attacker could overwrite configuration files, inject malicious code into PHP files, or manipulate other critical system files.
Root Cause
The root cause is an incomplete input validation pattern in the Archive_Tar library's filename handling code. The original fix for phar attacks implemented a blocklist approach, specifically filtering out phar:// prefixes while failing to account for other dangerous PHP stream wrappers. This oversight in the sanitization logic means that alternative stream wrapper schemes bypass the security check entirely, allowing path traversal and arbitrary file operations through the extraction process.
Attack Vector
Exploitation requires local access or user interaction to trigger processing of a malicious TAR archive. An attacker creates a TAR archive with filenames containing PHP stream wrapper syntax (e.g., file:///var/www/html/config.php). When a vulnerable application extracts this archive, the stream wrapper is interpreted by PHP, causing the file contents to be written to the attacker-specified path rather than the intended extraction directory.
In web applications like Drupal, this can be triggered by uploading a malicious archive through file upload functionality. The attack succeeds when the server-side code processes the archive using a vulnerable version of Archive_Tar, enabling attackers to write webshells or overwrite critical configuration files.
Detection Methods for CVE-2020-28949
Indicators of Compromise
- Unexpected file modifications in web application directories, particularly PHP files or configuration files
- TAR archives containing filenames with stream wrapper prefixes (e.g., file://, php://, data://)
- Web server logs showing archive upload attempts followed by suspicious file access patterns
- Newly created or modified PHP files in unexpected locations with webshell-like characteristics
Detection Strategies
- Monitor file system integrity for unauthorized modifications to PHP files and configuration files in web application directories
- Implement file upload scanning to detect TAR archives containing stream wrapper prefixes in filenames
- Review PHP Archive_Tar version deployed across applications using dependency scanning tools
- Deploy web application firewalls (WAF) with rules to detect and block malicious archive uploads
Monitoring Recommendations
- Enable file integrity monitoring on critical web application directories and configuration files
- Log and alert on any extraction operations performed by Archive_Tar in production environments
- Monitor for unusual file write operations originating from web server processes
- Track package version dependencies and alert when vulnerable Archive_Tar versions are detected
How to Mitigate CVE-2020-28949
Immediate Actions Required
- Update PHP Archive_Tar to version 1.4.11 or later which includes comprehensive stream wrapper filtering
- Apply Drupal security updates as specified in Drupal Security Advisory SA-CORE-2020-013
- Review and patch all systems running affected Debian and Fedora distributions using vendor-provided security updates
- Conduct a security audit of any TAR archive processing functionality in custom applications
Patch Information
Security patches are available from multiple sources. The upstream fix is available in Archive_Tar version 1.4.11 and later. Distribution-specific patches have been released through Debian Security Advisory DSA-4817, Debian LTS announcements, and Fedora package updates. Drupal users should apply the patches outlined in the official Drupal security advisory. For detailed technical discussion, refer to the GitHub issue.
Workarounds
- Disable or restrict file upload functionality that processes TAR archives until patches can be applied
- Implement additional server-side validation to reject TAR archives with suspicious filenames containing :// patterns
- Run web applications with restricted file system permissions to limit the impact of arbitrary file write attempts
- Consider isolating archive processing in sandboxed environments with limited file system access
# Verify Archive_Tar version and update via PEAR
pear list | grep Archive_Tar
pear upgrade Archive_Tar
# Alternatively, update via Composer
composer show pear/archive_tar
composer update pear/archive_tar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
