PHP Composer Flaw That Could Affect Millions of Sites PatchedExperts Stress Importance of Upgrading the Tool and Auditing Files
A patch has been issued for a serious vulnerability that affects PHP Composer - a tool used to manage and install software dependencies in the PHP ecosystem. Security researchers at SonarSource say the flaw could put millions of websites at risk.
Developers worldwide use Composer to ease the update process and ensure applications work across environments and versions.
SonarSource discovered a vulnerability in Packagist, which Composer uses to manage PHP package requests, that could enable attackers to cause Composer to download the wrong source code, potentially downloading a backdoor on the server that runs Composer.
"If you happen to use Composer and VcsRepository with user-controlled URLs or if you have your own Packagist instance, make extra sure to upgrade," says Thomas Chauchefoin, vulnerability researcher at SonarSource.
After updating Packagist and Composer, users should audit composer.lock files to ensure they do not contain URLs that could be considered command-line options, managers of Packagist, the largest PHP repository, advise.
SonarSource says that the vulnerable code has been present since the first versions of Packagist appeared 10 years ago. SonarSource explains that it reported all issues to the team that runs Packagist on April 22, and a fix was deployed within 12 hours.
Packagist determines the correct supply chain for PHP - or Hypertext Preprocessor open-source general-purpose scripting language - package downloads. In a single month, the public Packagist infrastructure served around 1.4 billion download requests for source code, according to a blog post by SonarSource.
Nils Adermann, co-founder of Packagist, says the organization has adjusted any external shell commands where possible to separate arguments from options with the POSIX separator, which should make it impossible for similar attacks to be created anywhere in Composer or Packagist.
Researchers at SonarSource discovered the critical vulnerability in the way Packagist downloaded source code from various open-source software libraries to Composer, which allowed them to execute arbitrary system commands via the Packagist.org server.
A vulnerability in such a central component serving more than 100 million package metadata requests per month potentially could have a huge impact, says Chauchefoin. That's because this access could be used to steal maintainers’ credentials or to redirect package downloads to third-party servers delivering back-doored dependencies, enabling attackers to control websites and steal information.
An attacker could trick Composer into downloading the wrong source code by manipulating the URL and then deploy the attacker’s backdoor on the server running Composer, Chauchefoin says.
An Alarming Flaw
The flaw affecting Composer is alarming because the tool is so widely used, says Matthew Gribben, former cybersecurity and cryptographics consultant at the U.K.'s Government Communications Headquarters and current CTO of online retailer Farmison & Co.
"In this instance, the security researchers didn't manage to escalate or establish what user privileges they had. But once that first door is open, it at least opens the potential for an exploit with a significant impact," Gribben says.
Securing Development Life Cycle
Jonathan Knudsen, senior security strategist at the security firm Synopsys, says application teams that want more secure software must adopt a secure development life cycle, in which security is part of every phase, from design through implementation, testing and maintenance.
"Part of the SDLC is using software composition analysis, which is automation that helps teams know which open-source components they’ve used and understand risks from a vulnerability perspective as well as a licensing perspective," he says. "Even after application release, vulnerabilities will continue to accrue in used components. A good SCA solution notifies you when new vulnerabilities are found so that you can address them quickly."
Security experts recommend companies spend more effort auditing all the software tools they use.
"In general, we always recommend you review changes you make to your lock files to ensure no untrusted dependencies or external URLs are introduced to your application," Packagist says. "Please note that Packagist.org is only a metadata server, and package contents are downloaded from a location chosen by the package maintainers."
James McQuiggan, a security awareness advocate at KnowBe4, says cybercriminals will exploit such vulnerabilities when they encounter any PHP systems during their reconnaissance or attack phases.
"Knowing there is a high-risk vulnerability and given the recent high-profile supply chain attacks, organizations want to avoid falling victim to a readily available exploit," he says. "By quickly assessing and reviewing this vulnerability with their risk management and change management teams, they can implement the update as soon as possible."