Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

PHP package manager flaw left millions of web apps open to abuse

Security researchers are warning that a software supply chain vulnerability impacting PHP could put millions of websites at risk.

The flaw, discovered by security researchers at SonarSource, affects Composer, the main tool used to manage and install dependencies for PHP.

Composer itself uses Packagist, an online service for managing PHP package requests, which is where the flaw was found.

SonarSource discovered a vulnerability allowing attackers to execute arbitrary system commands on the Packagist server. This could be used to obtain maintainers’ credentials, or to redirect package requests.

“An attacker changing the URL associated with the package symfony/symfony by one under their control would trick Composer into downloading the wrong source code, and with that deploy the attacker’s backdoor on the server running Composer,” Thomas Chauchefoin, vulnerability researcher at SonarSource told The Daily Swig.

Supply chain attack

According to Chauchefoin, SonarSource discovered the flaw when researching software supply chain attacks and investigating the components of the PHP packages ecosystem.

SonarSource believes the flaw has gone undetected for 10 years, even though a vulnerability was found in the same code by researcher Max Justicz in 2018.

“Its exploitability is very dependent on the command that is being called,” Chauchefoin explained. “That is very easy to overlook as user-controlled data is often already correctly sanitized against other injection vulnerabilities.”

However, PHP’s popularity, and the number of PHP projects that use Composer, increases the risk.

PHP runs on 80% of websites. SonarSource estimates that two-thirds of PHP projects use Composer to manage their dependencies.

“The public Packagist infrastructure facilitates the downloads, but doesn’t directly host the source code,” said Chauchefoin.

“It is estimated that the public Packagist infrastructure serves around 100 million metadata requests per month. These could have been backdoored with the vulnerability we reported.”

Patch released

The flaw has now been fixed, and the researchers say the risks posed to sites using PHP is limited.

“However, if you give users control to your composer.json or use the internal APIs VcsRepository / VcsDriver and derivatives, you should definitely upgrade to Composer 1.10.22 and 2.0.13,” he added.

Nonetheless, web developers should stay vigilant, Jed Kafetz, head of pen testing
at Redscan told The Daily Swig.

Advertisement. Scroll to continue reading.

“If an attacker can backdoor a common software package, each further application attempting to make use of the tool or software will be affected,” he said.

“An attacker may then leverage this access to exfiltrate data causing a large-scale breach, or compromise the underlying network, or alternatively use it as a base for further attacks,” added Kafetz.

“Supply chain compromise is a hugely advantageous route for an attacker to take. It goes beyond the realms of a targeted attack and can make a significant number of systems that were previously secure, suddenly become vulnerable.”

Full technical details can be found in the SonarSource blog post.

Source: https://portswigger.net/daily-swig/php-package-manager-flaw-left-millions-of-web-apps-open-to-abuse

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

The administration and its private sector partners announced a slate of new initiatives on Monday aimed at protecting the nation’s school systems and their...

Cyber Security

The plan includes measures for improving cybersecurity knowledge at all levels of education and improving how the federal government attracts, hires and pays cybersecurity...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO