GHSA-8h4m-r4wm-xj7r: 
PHP vulnerability analysis and mitigation

The TYPO3 CMS vulnerability (GHSA-8h4m-r4wm-xj7r) involves arbitrary code execution via the File List Module, discovered and disclosed on January 22, 2019. The vulnerability affects TYPO3 CMS versions 8.0.0 to 8.7.22 and 9.0.0 to 9.5.3. This security issue allows backend users to upload potentially executable files with extensions like .phar, .shtml, .pl, or .cgi, which could be executed in certain web server configurations (TYPO3 Advisory).

The vulnerability stems from missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern']. The issue has a CVSS v3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Notably, Debian GNU Linux derivatives handle *.phar files as PHP applications since PHP 7.1 for unofficial packages and PHP 7.2 for official packages. The vulnerability is tracked as CWE-434 (GitHub Advisory).

The vulnerability can lead to arbitrary code execution on affected systems. It affects system confidentiality, integrity, and availability with high severity ratings. The impact is particularly significant on systems where specific file handlers are configured, especially for *.phar files in Debian-based systems (GitHub Advisory, TYPO3 Advisory).

The vulnerability was patched in TYPO3 versions 8.7.23 and 9.5.4. The fix involved extending the file deny pattern to include additional potentially dangerous file extensions. The patch was implemented through commits that modified the SystemEnvironmentBuilder.php file to update both FILEDENYPATTERNDEFAULT and PHPEXTENSIONS_DEFAULT configurations (TYPO3 Commit).