Many security researchers have been warning people that a software supply chain vulnerability currently found in PHP can put millions of websites at risk.
Security researchers at SonarSource discovered this flaw. It essentially affects Composer, which is one of the main tools that is being used in order to manage as well as install dependencies for PHP.
In fact, Composer itself uses Packagist, an online service for managing PHP package requests, which is exactly where the flaw itself is present.
SonarSource even managed to discover a vulnerability that allowed attackers to execute arbitrary system commands on the Packagist server. This could be used to potentially obtain maintainer credentials or even redirect the package requests.
Thomas Chauchefoin which is a vulnerability researcher at SonarSource had this to say about the subject:
An attacker changing the URL associated with the package symfony/symfony by one under their control would trick Composer into downloading the wrong source code, and with that deploy the attacker’s backdoor on the server running Composer. Its exploitability is very dependent on the command that is being called. That is very easy to overlook as user-controlled data is often already correctly sanitized against other injection vulnerabilities.
The flaw was discovered when researching software supply chain attacks and investigating many of the components within the PHP packages ecosystem.
SonarSource even has the belief that this flaw has not been detected throughout 10 years, even though a vulnerability was found in the same code by a researcher known as Max Justicz in the year 2018.
PHP’s popularity as well as the number of PHP projects which use Composer increase the risk. Remember, PHP actually runs on 80% of all of the websites in the world, and two-thirds of them, according to SonarSource, use Composer in order to manage their dependencies.
The public Packagist infrastructure facilitates the downloads, but doesn’t directly host the source code. It is estimated that the public Packagist infrastructure serves around 100 million metadata requests per month. These could have been backdoored with the vulnerability we reported.
Jed Kafetz, which is the head of penetration testing at Redscan had this to say:
If an attacker can backdoor a typical software program bundle, every additional utility trying to utilize the device or software program might be affected. An attacker might then leverage this entry to exfiltrate knowledge inflicting a large-scale breach, or compromise the underlying community, or alternatively use it as a base for additional assaults. Provide chain compromise is a vastly advantageous route for an attacker to take. It goes past the realms of a focused assault and might make a major variety of techniques that have been beforehand safe, all of the sudden grow to be susceptible.
Keep in mind that the flaw is not fixed, and the researchers said that the risks posed to sites using PHP are now limited. Web developers should still remain vigilant, however.