Virusdie reports infected file: tar.php

  • Resolved John

    (@dsl225)


    4 years, 3 months ago

    Hello,

    Although this might probably be a false positive I prefer reporting it here in order to avoid further issues.

    One site that is protected by Virusdie got this alert for the file tar.php located at wp-content/plugins/backwpup/vendor/pear/archive_tar/Archive/

    Line 1770:

    private function _maliciousFilename($file)
    {
        if (strpos($file, 'phar://') === 0) {
            return true;
        }
        if (strpos($file, '/../') !== false) {
            return true;
        }

    Drupal.CVE.Core-2020-013
    Threat Danger Level: 9/10
    Status: malware
    Automatic cleaning: not available
    Malware highlighting: available

    Drupal CMS critical vulnerability. Arbitrary PHP code execution is possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them. Versions: < 7.75, 8.8.12, 8.9.10, 9.0.9. File: modules/system/system.tar.inc, vendor/pear/archive_tar/Archive/Tar.php. Type: Remote code execution. Details: https://www.drupal.org/sa-core-2020-013 . To fix vulnerability update CMS to the latest version in the branch: https://www.drupal.org/project/drupal/releases/ . If you are using PEAR Archive_Tar library separately from Drupal, download the update from the developer’s website: https://pear.php.net/package/Archive_Tar .

    If this is indeed a false positive, maybe contact Virusde directly in order to whitelist your files.

    Thanks!

Viewing 8 replies - 1 through 8 (of 8 total)

  • I got this alert from VirusDie as well.

    I contacted them in-case it was a false positive and this was their reply.

    Hello! I have clarified the information. This is not a false positive. Vulnerable PEAR Archive_Tar library (https://pear.php.net/package/Archive_Tar)

    If you are using PEAR Archive_Tar library separately from Drupal, download the update from the developer’s website: https://pear.php.net/package/Archive_Tar/download

    Hi, me too the same answer from Virusdie. How is it resolved?

    Plugin Support Syde Niklas

    (@niklasinpsyde)

    Hi everyone,

    Thanks for letting us know about this message.
    It seems that we will need to update the library with our next release to resolve this behavior, so I have informed our developers about it.

    Kind regards,
    Niklas

    Thread Starter John

    (@dsl225)

    Thanks!

    Plugin Support Syde Niklas

    (@niklasinpsyde)

    We have updated the library for our next release.
    I can’t tell you when our next update will be released, but the issue will be fixed then.
    So I will go ahead an mark this as resolved for our issue tracking.
    Thanks for reporting!

    Kind regards,
    Niklas

    Hi, for the moment, I have deleted the code:

        /**
     * Detect and report a malicious file name
     *
     * @param string $file
     *
     * @return bool
     */
    private function _maliciousFilename($file)
    {
        if (strpos($file, 'phar://') === 0) {
            return true;
        }
        if (strpos($file, '/../') !== false) {
            return true;
        }
        if (strpos($file, '../') === 0) {
            return true;
        }
        return false;
    }

    The infection is no longer reported and BackWPup continues to work with no apparent problems! Hope it helps.
    See you soon!

    • This reply was modified 4 years, 3 months ago by EM3DESIGN.
    apasionados

    (@apasionados)

    Hi @niklasinpsyde,

    Any update on when the version with the fix will go live?

    With the latest published version (3.8.0 September 22, 2020) Virusdie still detects the vulnerability.

    Thanks.

    Best regards from Spain.

    Just found the same vulnerability…
    Please fix!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Virusdie reports infected file: tar.php’ is closed to new replies.

Tags