A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks

Technology

The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and “backdoor every PHP package,” resulting in a supply-chain attack.

Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was deployed less than 12 hours later.

“Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders,” Composer said its release notes for versions 2.0.13 and 1.10.22 published on Wednesday. “To the best of our knowledge the vulnerability has not been exploited.”

password auditor

Composer is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project. It also allows users to install PHP applications that are available on Packagist, a repository that aggregates all public PHP packages installable with Composer.

According to SonarSource, the vulnerability stems from the way package source download URLs are handled, potentially leading to a scenario where an adversary could trigger remote command injection. As proof of this behavior, the researchers exploited the argument injection flaw to craft a malicious Mercurial repository URL that takes advantage of its “alias” option to execute a shell command of the attacker’s choice.

“A vulnerability in such a central component, serving more than 100 million package metadata requests per month, has a huge impact as this access could have been used to steal maintainers’ credentials or to redirect package downloads to third-party servers delivering backdoored dependencies,” SonarSource said.

password auditor

The Geneva-based code security firm said one of the bugs was introduced in November 2011, suggesting that the vulnerable code lurked right from the time development on Composer started 10 years ago. The first “alpha” version of Composer was released on July 3, 2013.

“The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins,” Jordi Boggiano, one of the primary developers behind Composer, said.

Products You May Like

Articles You May Like

McDonald’s India Delivery System Reportedly Exposed Personal Information of Customers Due to API Bug
New Chainsaw Man Movie Hypes Debut With New Posters & Staff
Dodger Stadium is hosting a dog adoption – NBC Los Angeles
Cledus T. Judd Recalls Toby Keith Kicking A Guy’s A** After He Insulted Them At A Nashville Bar: “Like He Was Carrying A 12-Pack Of Beer”
Parents of Moreno Valley child who died in adoption care speak out – NBC Los Angeles