A 15-year-old security flaw has been disclosed in the PEAR PHP repository that could allow an attacker to perform a supply chain attackincluding unauthorized access to publish rogue packages and execute arbitrary code.
“An attacker exploiting the first bug could take over any developer account and publish malicious releases, while the second would allow an attacker to have persistent access to the server. central PEAR,” said SonarSource vulnerability researcher Thomas Chauchefoin in a published article. week.
PEAR, short for PHP Extension and Application Repository, is a framework and distribution system for reusable PHP components.
One of the problems, outlined in a code commit made in March 2007 when the feature was initially rolled out, involved the use of the cryptographically insecure PHP function mt_rand() in the reset password function could allow an attacker to “discover a valid password reset the token after less than 50 attempts. “
Using this exploit, a bad guy can target existing developer or admin accounts to take over them and publish new trojanized versions of packages that have been maintained by developers. maintained, leading to widespread supply chain compromise.
The second vulnerability, which requires an adversary to chain it with the aforementioned vulnerability in order to gain initial access, stems from Pearweb’s dependency on an older version of Archive_Tar, which is vulnerable to directory-level traversal errors. severity (CVE-2020-36193, CVSS score: 7.5), resulting in arbitrary code execution.
“These vulnerabilities have been around for more than a decade and are difficult to identify and exploit, raising questions about the lack of security contributions from the companies that rely on it,” Chauchefoin said.
The discovery marks the second time security issues have been discovered in the PHP supply chain in less than a year. At the end of April 2021, critical vulnerabilities were disclosed in the Composer PHP package manager that could allow an adversary to execute arbitrary commands.
With meetings supply chain attack software is emerging as a serious threat following deprecated software incidents targeting widely used libraries in the NPM ecosystem, security issues associated with reliance on code in the software is making a comeback, leading the Open Source Initiative to call “open source weaponization “an act of cyber sabotage” over the top.[s] any possible benefit. “