GHSA-pqjm-xcp8-wgmm: 
PHP vulnerability analysis and mitigation

GHSA-pqjm-xcp8-wgmm is a security vulnerability affecting eZ Platform and Legacy systems, discovered and disclosed on November 21, 2018. The vulnerability relates to insecure interpretation of PHP/PHAR uploads in multiple versions of ezsystems/ezplatform and ezsystems/ezpublish-legacy. The affected versions include ezplatform v2.3.2, v2.2.3, v1.13.4, v1.7.8 and ezpublish-legacy v2018.09.1.2, v2018.06.1.3, v2017.12.4.2, v5.4.12.2, v5.3.12.5 (GitHub Advisory).

The vulnerability consists of two main components: web server configuration issues and PHAR stream wrapper exploitation. The PHAR archives can be crafted to execute code through their stream wrapper without explicit execution requests, potentially triggering during any PHP file operation through deserialization. This vulnerability can be exploited even when files don't have a .phar extension. The issue is particularly concerning in environments where file uploads are permitted (Security Advisory).

The vulnerability could allow privilege escalation and breach of content access controls. When exploited, it enables unauthorized code execution through uploaded PHP/PHAR files in the system's var directories, potentially compromising the entire application (GitHub Advisory).

Two primary mitigation strategies are recommended: 1) Configure web servers to prevent execution of PHP/PHAR files in upload directories by returning HTTP 403 Forbidden for executable file types, and 2) Disable the PHAR stream wrapper within eZ Platform as it's typically only needed for Composer operations. Patches were released in versions ezplatform v2.3.2.1, v2.2.3.1, v1.13.4.1, v1.7.8.1 and ezpublish-legacy v2018.09.1.3, v2018.06.1.4, v2017.12.4.3, v5.4.12.3, v5.3.12.6 (Security Advisory).