CVE-2020-36193 Overview
CVE-2020-36193 is a directory traversal vulnerability in PHP's Archive_Tar library (through version 1.4.11) that allows attackers to perform unauthorized write operations outside of intended directories. The vulnerability stems from inadequate checking of symbolic links during tar archive extraction, enabling malicious actors to write arbitrary files to the filesystem. This is a related issue to CVE-2020-28948.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Attackers can leverage this flaw to overwrite critical system files or deploy malicious payloads by crafting tar archives with specially constructed symbolic links.
Affected Products
- PHP Archive_Tar (through version 1.4.11)
- Drupal (multiple versions utilizing Archive_Tar)
- Fedora 32, 33, 34, 35
- Debian Linux 9.0 and 10.0
Discovery Timeline
- 2021-01-18 - CVE-2020-36193 published to NVD
- 2025-11-07 - Last updated in NVD database
Technical Details for CVE-2020-36193
Vulnerability Analysis
The vulnerability exists in Tar.php within the Archive_Tar library, a widely-used PHP PEAR package for handling tar archives. The core issue lies in the insufficient validation of symbolic links during archive extraction operations. When processing a tar archive, the library fails to properly sanitize or validate symbolic link targets, allowing path traversal sequences to escape the intended extraction directory.
This weakness is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-59 (Improper Link Resolution Before File Access). The combination of these weaknesses enables attackers to create symbolic links pointing to arbitrary filesystem locations and then write content through those links.
Root Cause
The root cause is the inadequate validation of symbolic link targets within the Tar.php file. When the Archive_Tar library extracts files from a tar archive, it processes symbolic links without properly verifying that the link target remains within the designated extraction directory. This allows attackers to craft malicious tar archives containing symbolic links with path traversal sequences (such as ../) that point to sensitive locations outside the extraction path.
The related vulnerability CVE-2020-28948 addressed similar issues, but the fix was incomplete, leaving this additional attack vector exploitable through symbolic link manipulation.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious tar archive containing:
- A symbolic link pointing to a directory outside the extraction path (e.g., symlink -> ../../etc/)
- Subsequent files that reference this symbolic link, allowing writes to the target location
When a vulnerable application extracts this archive using Archive_Tar, the attacker can:
- Overwrite configuration files to modify application behavior
- Write PHP files to web-accessible directories for remote code execution
- Modify system files if the application runs with elevated privileges
The vulnerability is particularly dangerous for Content Management Systems like Drupal, where file upload and extraction functionality may be exposed to authenticated or even unauthenticated users depending on configuration.
The vulnerability mechanism involves the archive extraction process failing to properly resolve and validate symbolic link targets before allowing file write operations through those links. Attackers craft tar archives where symbolic links point to directories outside the intended extraction path using relative path sequences, followed by files that write through those malicious symlinks. For detailed technical implementation, see the GitHub security commit.
Detection Methods for CVE-2020-36193
Indicators of Compromise
- Unexpected files appearing in sensitive system directories (e.g., /etc/, /var/www/, application root directories)
- Symbolic links created in temporary or upload directories pointing to paths outside the expected scope
- Web server logs showing requests to newly created PHP files in unexpected locations
- File system audit logs indicating file creation or modification in protected directories following archive extraction operations
Detection Strategies
- Implement file integrity monitoring (FIM) on critical system and application directories to detect unauthorized modifications
- Monitor application logs for archive extraction operations, particularly those involving user-uploaded content
- Scan for newly created symbolic links in web-accessible directories and temporary folders
- Review web server access logs for requests to unfamiliar PHP files that may indicate webshell deployment
Monitoring Recommendations
- Enable and centralize logging for all file operations in applications that handle tar archives
- Configure alerts for file creation events in sensitive directories that should remain static
- Implement network monitoring to detect potential command and control communications from deployed webshells
- Use SentinelOne's behavioral AI to detect post-exploitation activities resulting from successful archive traversal attacks
How to Mitigate CVE-2020-36193
Immediate Actions Required
- Update PHP Archive_Tar to version 1.4.12 or later immediately
- For Drupal installations, apply the patches referenced in Drupal Security Advisory SA-CORE-2021-001
- Review systems for indicators of compromise, particularly if file upload functionality was exposed
- Restrict file upload capabilities to authenticated users with validated permissions until patches are applied
Patch Information
The vulnerability has been addressed in Archive_Tar version 1.4.12 and later. The fix implements proper validation of symbolic link targets to ensure they cannot escape the designated extraction directory. The security patch is available via the official GitHub commit.
Additional security advisories and patches are available from:
- Debian Security Advisory DSA-4894
- Gentoo GLSA 202101-23
- Fedora package updates for affected versions
Workarounds
- Disable tar archive upload and extraction functionality until patches can be applied
- Implement application-level validation of uploaded archives before extraction, scanning for symbolic links with suspicious targets
- Run archive extraction processes in isolated environments (containers, chroot) with minimal filesystem access
- Apply restrictive file permissions to directories where archives are extracted to limit the impact of potential exploitation
# Example: Restrict extraction directory permissions
chmod 755 /var/www/uploads
chown www-data:www-data /var/www/uploads
# Verify Archive_Tar version in PHP
php -r "echo 'Archive_Tar version: ' . file_get_contents('/path/to/pear/Archive/Tar.php') | grep -o 'version.*';"
# Update Archive_Tar via PEAR
pear upgrade Archive_Tar
# For Composer-managed projects
composer update pear/archive_tar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
