[20190206] - Core - Implement the TYPO3 PHAR stream wrapper

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Versions: 2.5.0 through 3.9.2
Exploit type: Object Injection
Reported Date: 2019-January-18
Fixed Date: 2019-February-12
CVE Number: CVE-2019-7743

Description

The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.9.2

Solution

Upgrade to version 3.9.3

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin (JSST)