Command injection flaw in PHP Composer allowed supply-chain attacks

A vulnerability in the PHP Composer could have allowed an attacker to execute arbitrary commands and backdoor every PHP package.

The maintainers of the PHP Composer package have addressed a critical vulnerability, tracked as CVE-2021-29472, that could have allowed an attacker to execute arbitrary commands and establish a backdoor in every PHP package.

Composer is the major tool to manage and install software dependencies, it uses the online service Packagist to determines the correct supply chain for package downloads. It has been estimated that the Packagist infrastructure serves around 1.4 billion download requests each month.

“Please immediately update Composer to version 2.0.13 or 1.10.22 (composer.phar self-update).The new releases include fixes for a command injection security vulnerability (CVE-2021-29472) reported by Thomas Chauchefoin from SonarSource.” reads the advisory published by SonarSource.

The command injection vulnerability was discovered by researchers from SonarSource who warn that it flaw could have been potentially exploited to conduct a supply-chain attack.

“During our security research, we discovered a critical vulnerability in the source code of Composer which is used by Packagist. It allowed us to execute arbitrary system commands on the Packagist.org server.” reads the post published by SonarSource, “A vulnerability in such a central component, serving more than 100M package metadata requests per month, has a huge impact as this access could have been used to steal maintainers’ credentials or to redirect package downloads to third-party servers delivering backdoored dependencies.”

The issue was reported on April 22 and the maintainers addressed it in less than 12 hours.

The vulnerability stems from improper sanitization of URLs for repositories in root composer.json files and package source download URLs that could be interpreted as options for system commands executed by Composer.

According to the researchers who discovered the issue, the flaw was introduced in November 2011.

“This problem alone does not yet allow command execution, as the values are appropriately escaped. The parameter injection has been fixed all across Composer with help by Thomas Chauchefoin from SonarSource by separating positional command arguments from options with the — separator where possible, e.g. hg clone — ‘$URL’ instead of hg clone ‘$URL’.” continues the advisory.

Below the timeline for this issue:

Date	Action
2021-04-22	First contact to security (at) packagist.org
2021-04-22	A hotfix is deployed in packagist.org
2021-04-26	CVE-2021-29472 assigned by GitHub
2021-04-27	Composer 1.10.22 and 2.0.13 are released

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PHP Composer)

[adrotate banner=”5″]

[adrotate banner=”13″]