15-Year-Old Bug in PEAR PHP Repository Could’ve Enabled Supply Chain Attacks

Technology

A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code.

“An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server,” SonarSource vulnerability researcher Thomas Chauchefoin said in a write-up published this week.

PEAR, short for PHP Extension and Application Repository, is a framework and distribution system for reusable PHP components.

CyberSecurity

One of the issues, introduced in a code commit made in March 2007 when the feature was originally implemented, relates to the use of the cryptographically insecure mt_rand() PHP function in the password reset functionality that could allow an attacker to “discover a valid password reset token in less than 50 tries.”

Armed with this exploit, a bad actor could target existing developer or administrator accounts to hijack them and publish new trojanized versions of packages already maintained by the developers, resulting in a widespread supply chain compromise.

The second vulnerability, which requires the adversary to chain it with the aforementioned flaw to attain initial access, stems from pearweb‘s reliance on an older version of Archive_Tar, which is susceptible to a high-severity directory traversal bug (CVE-2020-36193, CVSS score: 7.5), leading to arbitrary code execution.

CyberSecurity

The findings mark the second time security issues have been uncovered in the PHP supply chain in less than a year. In late April 2021, critical vulnerabilities were divulged in the Composer PHP package manager that could enable an adversary to execute arbitrary commands.

With software supply chain attacks emerging as a dangerous threat in the wake of protestware incidents aimed at widely-used libraries in the NPM ecosystem, security issues tied to code dependencies in software are back in the spotlight, prompting the Open Source Initiative to call the “weaponization of open source” an act of cyber vandalism that “outweigh[s] any possible benefit.”

“These vulnerabilities have been present for more than a decade and were trivial to identify and exploit, raising questions about the lack of security contributions from companies relying on it,” Chauchefoin said.

Products You May Like

Articles You May Like

New YA Books Out This Week, November 13, 2024
Judy Garland’s Daughter Lorna Luft Reviews ‘Wicked’
House Speaker Johnson says Gaetz ethics report shouldn’t be released
Garden State Anniversary Concert Will Assemble Soundtrack’s Artist (But Not All Of Them)
Hamas-Affiliated WIRTE Employs SameCoin Wiper in Disruptive Attacks Against Israel