Symlink Vulnerability in PEAR Installer by PEAR
CVE-2011-1144

Currently unrated

Key Information:

Vendor: PHP
Status: Pear
Vendor: CVE Published:; 3 March 2011

What is CVE-2011-1144?

The PEAR Installer versions 1.9.2 and earlier are susceptible to a symlink vulnerability that enables local users to overwrite arbitrary files through a maliciously crafted package.xml file. This flaw arises from inadequate protections associated with critical directories such as download_dir, cache_dir, tmp_dir, and pear-build-download. Users must be aware of this vulnerability as it could lead to unauthorized access and potential system compromise.

References

http://openwall.com/lists/oss-security/2011/02/28/5

mailing-listx_refsource_MLIST

http://openwall.com/lists/oss-security/2011/03/01/7

mailing-listx_refsource_MLIST

http://pear.php.net/bugs/bug.php?id=18056

x_refsource_MISC

Timeline

Vulnerability published
Mar 3, 2011
Vulnerability Reserved
Mar 2, 2011

PHP

What is CVE-2011-1144?

References

Timeline