VYPR
← All advisories
High severityNVD Advisory· Published Nov 19, 2020· Updated Aug 4, 2024

CVE-2020-28948

CVE-2020-28948

Description

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Archive_Tar through 1.4.10 allows unserialization attack by bypassing phar:// block with uppercase PHAR://.

Vulnerability

CVE-2020-28948 is an unserialization vulnerability in the PEAR Archive_Tar library, affecting versions through 1.4.10. The library attempts to block malicious filenames that start with phar:// to prevent PHP phar unserialization attacks, but the check is case-sensitive. An attacker can bypass this protection by using PHAR:// (uppercase) in the filename, which is not blocked [1][2].

Exploitation

To exploit this, an attacker crafts a tar archive containing a file whose name begins with PHAR:// and points to a malicious phar file. When Archive_Tar processes the archive (e.g., during extraction or listing), the _maliciousFilename() function fails to detect the uppercase scheme, allowing the phar metadata to be unserialized. This attack requires that phar.readonly is disabled in PHP configuration, and the attacker must be able to upload or supply a crafted tar file to an application using Archive_Tar [2].

Impact

Successful exploitation leads to arbitrary PHP object injection, which can result in remote code execution. The Drupal project, which uses Archive_Tar, issued a critical security advisory (SA-CORE-2020-013) noting that known exploits exist for this vulnerability in certain configurations, such as when untrusted users can upload .tar, .tar.gz, .bz2, or .tlz files [3].

Mitigation

The vulnerability is fixed in Archive_Tar versions after 1.4.10. The commit [4] changes the check to block any stream wrapper (://) instead of only phar://, and renames the method to _isMaliciousFilename. Users should update to the latest version of Archive_Tar or apply the patch. Drupal has released updates (7.75, 8.8.12, 8.9.10, 9.0.9) that include the fix [3]. As a workaround, prevent untrusted users from uploading tar archives until patching is possible.

References
  1. NVD - CVE-2020-28948
  2. Multiple vulnerabilities through filename manipulation (CVE-2020-28948 and CVE-2020-28949)
  3. Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
  4. Fixes #33 - ensure we catch additional malicious/crafted filenames · pear/Archive_Tar@0670a05

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pear/archive_tarPackagist
< 1.4.111.4.11

Affected products

40

Patches

1
0670a05fdab9

Fixes #33 - ensure we catch additional malicious/crafted filenames

https://github.com/pear/Archive_TarMichiel RookNov 19, 2020via ghsa
commit
1 file changed · +4 4
  • Archive/Tar.php+4 4 modified
    @@ -1730,7 +1730,7 @@ public function _readHeader($v_binary_data, &$v_header)
 
         // ----- Extract the properties
         $v_header['filename'] = rtrim($v_data['filename'], "\0");
-        if ($this->_maliciousFilename($v_header['filename'])) {
+        if ($this->_isMaliciousFilename($v_header['filename'])) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_header['filename'] .
                 '" will not install in desired directory tree'
@@ -1800,9 +1800,9 @@ private function _tarRecToSize($tar_size)
      *
      * @return bool
      */
-    private function _maliciousFilename($file)
+    private function _isMaliciousFilename($file)
     {
-        if (strpos($file, 'phar://') === 0) {
+        if (strpos($file, '://') !== false) {
             return true;
         }
         if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1838,7 +1838,7 @@ public function _readLongHeader(&$v_header)
 
         $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
         $v_header['filename'] = $v_filename;
-        if ($this->_maliciousFilename($v_filename)) {
+        if ($this->_isMaliciousFilename($v_filename)) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_filename .
                 '" will not install in desired directory tree'

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

20

News mentions

0

No linked articles in our index yet.