平台
php
组件
php
修复版本
7.2.28
7.3.15
7.4.3
CVE-2020-7063 is a vulnerability in PHP affecting versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3. It arises when creating PHAR (PHP Archive) archives using the PharData::buildFromIterator() function. This flaw can lead to files within the archive being extracted with overly permissive access rights, potentially compromising system security. A fix is available in PHP 7.4.3.
The core impact of CVE-2020-7063 lies in the potential for unintended file permission changes. When a PHAR archive is created using the vulnerable function, files added to the archive inherit default permissions (0666), regardless of the original file permissions on the system. This means that files extracted from the archive could have broader access than intended, allowing unauthorized users or processes to read, write, or execute them. This is particularly concerning in environments where file permissions are carefully managed to restrict access to sensitive data or critical system files. A malicious actor could craft a PHAR archive containing files with elevated permissions, then distribute it to compromise systems that extract the archive. While not a direct remote code execution vulnerability, it can be a stepping stone for privilege escalation or data exfiltration.
CVE-2020-7063 was publicly disclosed on February 27, 2020. It is not currently listed on CISA KEV. There are no known active exploitation campaigns targeting this vulnerability, and no public proof-of-concept exploits have been widely released. However, the potential for abuse remains, particularly in environments where PHAR archives are frequently used and file permissions are not rigorously enforced.
Systems utilizing PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3 are at risk. This includes web hosting environments, particularly shared hosting providers where multiple users may be creating and extracting PHAR archives. Applications that dynamically generate and distribute PHAR archives are also vulnerable.
• linux / server:
find /var/www/html -name '*.phar' -print0 | xargs -0 stat -c '%a %n' | grep '0666' • generic web:
curl -I <website_url>/path/to/archive.phar | grep 'Content-Type' # Check for application/zip or application/octet-streamdisclosure
漏洞利用状态
EPSS
0.30% (54% 百分位)
CVSS 向量
The primary mitigation for CVE-2020-7063 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to carefully review and adjust file permissions after extracting PHAR archives. Another is to avoid using PharData::buildFromIterator() if possible, opting for alternative methods of creating PHAR archives that preserve original file permissions. Web application firewalls (WAFs) might be configured to inspect PHAR archive uploads and block those with suspicious permissions, but this is a less reliable defense. There are no specific Sigma or YARA rules readily available for this vulnerability, as detection relies primarily on identifying the use of the vulnerable function and subsequent permission anomalies.
Actualice a la última versión de PHP. Específicamente, actualice a la versión 7.2.28 o superior, 7.3.15 o superior, o 7.4.3 o superior. Esto corregirá el problema de permisos al crear archivos PHAR con PharData::buildFromIterator().
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2020-7063 is a vulnerability in PHP where PHAR archives created with PharData::buildFromIterator() assign default permissions (0666), potentially exposing files.
You are affected if you are using PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, or 7.4.x below 7.4.3.
Upgrade to PHP 7.4.3 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There are currently no known active exploitation campaigns targeting CVE-2020-7063, but the potential for abuse remains.
Refer to the official PHP security advisory: https://security.php.net/CVE-2020-7063