A security researcher from SonarSource discovered a command injection security vulnerability (CVE-2021-29472) in a popular PHP package. This vulnerability could allow an attacker to run arbitrary commands and establish a backdoor in every PHP package, leading to a supply-chain attack.
The command injection flaw
Recently, SonarSource released an advisory that includes fixes for this vulnerability that affects the maintainers of the PHP Composer package.
During security research, a critical vulnerability was discovered in the source code of Composer. The vulnerability allowed researchers to run arbitrary system commands on the Packagist[.]org server.
The vulnerability arises from improper sanitization of URLs for the repos in root composer.json files. The source download URL of the package could be interpreted as options for system commands run by Composer.
The parameter injection is now fixed across all Composers. Thomas Chauchefoin and the team from SonarSource separated positional command arguments from options with the separator wherever possible.
According to the researchers, the issue was first introduced in November 2011. Moreover, it was reported on April 22 and the maintainers addressed it quickly.
Recently discovered threats
In recent months, there have been several products discovered to have exploitable vulnerabilities.
Recently, unknown actors used the fake pretense of Rasmus Lerdorf and Popov, the maintainers of the PHP programming language, to push malicious commits to the PHP repository hosted on the server git.php[.]net.
Multiple vulnerabilities (including CVE-2020-7071) were identified in PHP that could allow attackers to execute arbitrary code.
Security threats in PHP or its components, which serve more than 100 million package metadata requests every month, could have a huge impact. This access could be used to redirect package downloads to third-party servers spreading backdoored dependencies or stealing maintainers’ credentials. Therefore, languages such as PHP need extra layers of security to prevent another major cyber incident.