CVE-2007-2519

Name of the Vulnerable Software and Affected Versions PEAR versions 1.0 through 1.5.3

Description The issue allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in the install-as attribute in the file element in package.xml 1.0 or the as attribute in the install element in package.xml 2.0.

Recommendations For PEAR versions 1.0 through 1.5.3, consider restricting the use of the install-as attribute in package.xml 1.0 and the as attribute in package.xml 2.0 to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.