CVE-2011-1144

Name of the Vulnerable Software and Affected Versions PEAR versions 1.9.2 and earlier

Description The issue allows local users to overwrite arbitrary files via a symlink attack on the package.xml file. This is related to the download dir, cache dir, tmp dir, and pear-build-download directories. The problem exists due to an incomplete fix for a previous issue.

Recommendations For PEAR versions 1.9.2 and earlier, consider restricting access to the package.xml file and the related directories to minimize the risk of exploitation. As a temporary workaround, avoid using the installer until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.