CVE-2020-7063 Overview
CVE-2020-7063 is an Improper Permissions vulnerability affecting multiple versions of PHP. When creating PHAR (PHP Archive) files using the PharData::buildFromIterator() function, the archive fails to preserve the original file permissions from the source filesystem. Instead, all files are added with default permissions of 0666 (read/write for all users), regardless of the more restrictive permissions that may have been set on the original files. When such archives are extracted, the resulting files inherit these overly permissive settings, potentially exposing sensitive data or allowing unauthorized modifications.
Critical Impact
Files extracted from PHAR archives created with vulnerable PHP versions may have world-readable and world-writable permissions, potentially exposing sensitive configuration files, credentials, or allowing unauthorized file modifications.
Affected Products
- PHP versions 7.2.x below 7.2.28
- PHP versions 7.3.x below 7.3.15
- PHP versions 7.4.x below 7.4.3
- Tenable.sc (prior to patched versions)
- Debian Linux 8.0, 9.0, and 10.0
- openSUSE Leap 15.1
Discovery Timeline
- 2020-02-27 - CVE-2020-7063 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-7063
Vulnerability Analysis
This vulnerability is classified under CWE-281 (Improper Preservation of Permissions). The core issue lies in how the PharData::buildFromIterator() function handles file metadata during archive creation. The function is designed to iterate over a collection of files and package them into a PHAR archive format, which is commonly used for distributing PHP applications and libraries.
When files are added to the archive, the function should capture and store the original permission bits from the source files. However, due to the flaw, the function instead applies a hardcoded default permission mask of 0666 to all files. This permission setting grants read and write access to the file owner, group, and all other users on the system.
The security implications become apparent during extraction. Applications that rely on PHAR archives to deploy configurations, scripts, or other sensitive files may inadvertently expose these files to unauthorized access. For instance, a configuration file containing database credentials that was originally set to 0600 (owner read/write only) would become world-readable after being packaged and extracted.
Root Cause
The root cause is a failure to properly preserve filesystem permission metadata when building PHAR archives using the PharData::buildFromIterator() method. The implementation does not read or store the source file's permission bits, defaulting instead to 0666 for all archived files. This represents an oversight in the archive creation logic where file attributes beyond content are not being properly captured and preserved.
Attack Vector
The attack vector for this vulnerability is network-based, as PHAR archives are commonly distributed via web applications, package managers, or file downloads. An attacker could exploit this vulnerability in several scenarios:
Post-Extraction Privilege Abuse: After a legitimate archive created with vulnerable PHP versions is extracted, an attacker with local access could read or modify files that should have been protected by stricter permissions.
Supply Chain Impact: If a developer creates and distributes PHAR archives using an affected PHP version, all downstream users who extract these archives will have improperly permissioned files on their systems.
Sensitive Data Exposure: Configuration files, private keys, or credentials included in PHAR archives may become accessible to unauthorized local users after extraction.
The vulnerability affects the integrity aspect of the affected files, as the improper permissions could allow unauthorized modifications even without direct code execution.
Detection Methods for CVE-2020-7063
Indicators of Compromise
- Files extracted from PHAR archives with unexpectedly permissive permissions (0666 or -rw-rw-rw-)
- Configuration files or sensitive data with world-readable/writable permissions in web application directories
- PHAR archives created with affected PHP versions present on the system
Detection Strategies
- Audit PHP version across all systems to identify installations running versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, or 7.4.x below 7.4.3
- Implement file integrity monitoring to detect files with unexpected 0666 permissions in application directories
- Review application logs for PharData::buildFromIterator() usage in archive creation workflows
- Scan existing PHAR archives for permission metadata anomalies
Monitoring Recommendations
- Monitor for changes in file permissions on sensitive configuration files and application directories
- Implement alerts for new files created with world-writable permissions in web-accessible directories
- Track PHP version updates across development and production environments
- Audit PHAR archive creation and extraction activities in application workflows
How to Mitigate CVE-2020-7063
Immediate Actions Required
- Upgrade PHP to version 7.2.28 or later for the 7.2.x branch
- Upgrade PHP to version 7.3.15 or later for the 7.3.x branch
- Upgrade PHP to version 7.4.3 or later for the 7.4.x branch
- Review and correct permissions on files previously extracted from PHAR archives created with vulnerable versions
- Apply vendor-specific patches from Debian, Ubuntu, openSUSE, and Tenable as applicable
Patch Information
Security patches addressing this vulnerability are available from multiple sources. The PHP project has released fixed versions for all affected branches. Refer to PHP Bug Report #79082 for official vendor information. Additional security advisories have been published by downstream vendors including Debian Security Advisory DSA-4717, Ubuntu Security Notice USN-4330-1, Gentoo GLSA 202003-57, and Tenable Security Notification TNS-2021-14.
Workarounds
- Manually reset file permissions after extracting PHAR archives using chmod commands
- Implement a post-extraction script to apply appropriate permissions based on file type and sensitivity
- Avoid using PharData::buildFromIterator() until patched versions are deployed
- Use alternative archive formats (ZIP, tar.gz) that properly preserve permissions until PHP can be upgraded
# Remediation: Fix permissions on extracted files
# After extracting a PHAR archive, reset permissions appropriately
find /path/to/extracted/files -type f -exec chmod 0644 {} \;
find /path/to/extracted/files -type d -exec chmod 0755 {} \;
# For sensitive configuration files, apply stricter permissions
chmod 0600 /path/to/extracted/files/config/*.conf
chmod 0600 /path/to/extracted/files/.env
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
