Vulnerabilities in Drupal Pear library (CVE-2018-1000888)

The Drupal content management system (CMS) has released two security updates on Wednesday, each designed to mitigate critical security vulnerabilities in the content management framework. These vulnerabilities were reported by network security and ethical hacking experts from the International Institute of Cyber Security and allow a malicious user to take control of the affected system.

Drupal code header

In addition, one of the known issues with Drupal specifically related to this problem is a fatal error occurring when updating a site with Drush, a command line shell for Drupal.

More information regarding the fatal errors related to Drush can be found on this page.

The released update patches are for the 7.x, 8.5.x and 8.6.x versions of Drupal and can be corrected by updating Drupal to versions 7.62, 8.5.9 or 8.6.6.



The first advisory, tracked as CVE-2018-1000888, is related to the implementation of the PEAR Archive_Tar Library, a plugin developed by third parties, which was also corrected by its editors. If exploited, this vulnerability could lead to remote code execution, as reported by network security experts.


Second vulnerability

The second vulnerability, which does not yet have a CVE key assigned, is a remote code execution flaw that exists in PHP built-in phar wrapper. This could lead to the attacker performing file operations on an untrusted phar://URI. This in turn could cause a problem when some Drupal codes, such as core, contrib, or custom, could be performing file operations on a user input that was not sufficiently validated, leaving them exposed to this vulnerability.

There is currently no evidence that these vulnerabilities have been exploited in real environments, as their exploitation is complex because administrator privileges are required for exploitation in vulnerable systems.

Not every Drupal instance will be vulnerable to attack either: most webapps won’t chuck user input into file calls without stripping out anything that looks like a protocol like phar://.


Drupal advisory


Related Posts

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.