GHSA-f9hr-7cfq-mjg2: 
PHP vulnerability analysis and mitigation

A security vulnerability was discovered in TYPO3 CMS (versions 8.0.0-8.7.22 and 9.0.0-9.5.3) that could allow arbitrary code execution through the File List Module. The vulnerability was disclosed on January 22, 2019, and was assigned the identifier TYPO3-CORE-SA-2019-008. The issue affects the File List (ext:filelist) subcomponent of TYPO3 CMS, requiring a valid backend user account for exploitation (TYPO3 Advisory).

The vulnerability stems from missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], which allowed backend users to upload potentially executable files with extensions such as .phar, .shtml, .pl, or .cgi. The severity is rated as High with a CVSS v3.1 score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is particularly concerning on Debian GNU Linux derivatives, where *.phar files are handled as PHP applications since PHP 7.1 for unofficial packages and PHP 7.2 for official packages (GitHub Advisory).

The vulnerability could lead to arbitrary code execution in certain web server setups. The impact varies depending on the server configuration, with potential high severity implications for confidentiality, integrity, and availability. Particularly affected are systems running Debian GNU Linux derivatives with PHP 7.1+ where *.phar files are automatically handled as PHP applications (TYPO3 Advisory).

The vulnerability was patched in TYPO3 versions 8.7.23 and 9.5.4. The fix involved extending the file deny pattern to include additional potentially dangerous file extensions. The patch specifically added phar, shtml, cgi, and pl to the file deny pattern and updated the PHP extensions default configuration (TYPO3 Commit).