Researchers from SonarSource discovered two 15-year-old security flaws in the PEAR (PHP Extension and Application Repository) repository that could have enabled supply chain attacks.
PEAR is a framework and distribution system for reusable PHP components.
According to the expert, the critical vulnerability in a central component of the PHP supply chain could have been easily exploited by low-skilled threat actors to cause important disruption.
“An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server.” reads the post published by SonarSource.
One of the flaws discovered by the experts is related to the use of the cryptographically week mt_rand() PHP function in the password reset functionality that could allow an attacker to discover a valid password reset token in less than 50 tries.
Once obtained the password for a developer’s account, threat actors can use it to conduct a supply chain attack by pushing a tainted version of their packages.
Experts explained that the source code behind pear.php.net can be found in a project named pearweb, which is available on GitHub.
Upon deploying pearweb on their test virtual machine, the researchers discovered that it pulled the dependency Archive_Tar in an old version (1.4.7, while the last one is 1.4.14). The older version of Archive_Tar is known to be affected by a directory traversal flaw tracked as (CVE-2020-36193) that could potentially lead to arbitrary code execution.
“These vulnerabilities have been present for more than a decade and were trivial to identify and exploit, raising questions about the lack of security contributions from companies relying on it,” concludes the analysis.
The researchers published a video PoC of the attack exploring the flaws to achieve arbitrary code execution on their local PEAR instance:
In April 2021, the same team of researchers discovered another vulnerability in the PHP Composer that could have allowed an attacker to execute arbitrary commands and backdoor every PHP package.
Please vote Security Affairs as best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and other of your choice.
To nominate, please visit: https://forms.gle/4D4PygUVcNxFQ6iFA
(SecurityAffairs – hacking, PEAR PHP)