Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other versions before 1.3.2, allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive.
In Archive_Tar, symlinks can refer to targets outside of the extracted archive.
Tar.php in Archive_Tar allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
archive_tar has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
There are several file operations with $v_header['filename'] as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with phar://[path_to_malicious_phar_file] as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because @unlink($this->_temp_tarname) is called. If another …