CVE-2020-28949 — AI Deep Analysis Summary

🚨 **Essence**: A flaw in **Pear Archive_Tar** (PHP library). It handles tar/phar files. <br>⚠️ **Consequence**: Attackers can overwrite arbitrary files on the server.…

🛡️ **Root Cause**: Incomplete **filename sanitization**. <br>❌ **Flaw**: The previous patch only targeted **phar** attacks. It failed to sanitize other **stream wrappers** (e.g., `file://`).…

📦 **Affected**: **Pear Archive_Tar** library. <br>📉 **Version**: **1.4.10** and earlier. <br>🌐 **Context**: Used by **Drupal** and other PHP apps relying on PEAR. Check your PHP dependencies! 🧐

💀 **Impact**: **File Overwrite**. <br>🔓 **Privileges**: Can overwrite existing files on the filesystem. <br>📂 **Data**: Potential for **Remote Code Execution (RCE)** if critical config/script files are overwritten.…

⚖️ **Threshold**: **Medium/High**. <br>🔑 **Auth**: Usually requires the app to process a **user-uploaded tar/phar file**. <br>⚙️ **Config**: Depends on how the application handles file uploads.…

📢 **Public Exp?**: **Yes/Indirect**. <br>🔗 **References**: **Drupal SA-CORE-2020-013** confirms exploitation. <br>🐛 **Status**: Active patches exist for major platforms (Drupal, Fedora, Debian).…

🔍 **Self-Check**: <br>1. Scan for **Archive_Tar** PHP library. <br>2. Check version **< 1.4.11**. <br>3. Look for **Drupal** sites using this component. <br>4.…

✅ **Fixed?**: **Yes**. <br>🩹 **Patch**: Update to **Archive_Tar > 1.4.10**. <br>📢 **Advisories**: <br>- **Drupal**: SA-CORE-2020-013 <br>- **Debian**: DSA-4817 <br>- **Fedora**: Multiple updates. 🏥

🚧 **No Patch?**: <br>1. **Disable** tar/phar extraction features if possible. <br>2. **Validate** filenames strictly before passing to Archive_Tar. <br>3. **Restrict** `file://` stream wrapper permissions. <br>4.…

🔥 **Urgency**: **HIGH**. <br>⏳ **Priority**: Patch immediately. <br>📉 **Risk**: Active exploitation via Drupal and other PHP apps. The incomplete fix in v1.4.10 makes this critical for anyone still on old versions. 🚀