First published: Thu Mar 03 2011(Updated: )
The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1072.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
PHP PEAR | =0.9 | |
PHP PEAR | =1.3.4 | |
PHP PEAR | =1.2.1 | |
PHP PEAR | <=1.9.2 | |
PHP PEAR | =1.3.3.1 | |
PHP PEAR | =1.4.2 | |
PHP PEAR | =1.0.1 | |
PHP PEAR | =1.0 | |
PHP PEAR | =1.2 | |
PHP PEAR | =1.5.0 | |
PHP PEAR | =1.3 | |
PHP PEAR | =0.90 | |
PHP PEAR | =1.5.1 | |
PHP PEAR | =1.9.1 | |
PHP PEAR | =1.4.0-rc2 | |
PHP PEAR | =1.4.1 | |
PHP PEAR | =1.3.5 | |
PHP PEAR | =1.3.6 | |
PHP PEAR | =1.3.3 | |
PHP PEAR | =1.3.1 | |
PHP PEAR | =1.4.0-rc1 | |
PHP PEAR | =0.2.2 | |
PHP PEAR | =1.4.0 | |
PHP PEAR | =0.10 | |
PHP PEAR | =1.6.1 | |
PHP PEAR | =0.11 | |
PHP PEAR | =1.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.