Описание
Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale
Impact
Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers.
Patches
Workarounds
Any of the below actions can be taken to prevent the issue:
- Validate input before calling
setLocale(), for instance by forbidding or removing/and\ - Call
setLocale()only with a locale from a whitelist of supported locales - When uploading files, rename them so they cannot have a
.phpextension (this is recommended even if you're not affected by this issue) - Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually live outside of the application basedir)
References
https://en.wikipedia.org/wiki/File_inclusion_vulnerability
Credits
Thanks to Szczepan Hołyszewski who reported the issue and to Tidelift to coordinate the resolution
Пакеты
nesbot/carbon
>= 3.0.0, < 3.8.4
3.8.4
nesbot/carbon
< 2.72.6
2.72.6
Связанные уязвимости
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Carbon is an international PHP extension for DateTime. Application pas ...