Security

Command injection flaw in PHP Composer allowed supply-chain attacks

A vulnerability in the PHP Composer could have allowed an attacker to execute arbitrary commands and backdoor every PHP package.

The maintainers of the PHP Composer package have addressed a critical vulnerability, tracked as CVE-2021-29472, that could have allowed an attacker to execute arbitrary commands and establish a backdoor in every PHP package.

Composer is the major tool to manage and install software dependencies, it uses the online service Packagist to determines the correct supply chain for package downloads. It has been estimated that the Packagist infrastructure serves around 1.4 billion download requests each month.

“Please immediately update Composer to version 2.0.13 or 1.10.22 (composer.phar self-update).The new releases include fixes for a command injection security vulnerability (CVE-2021-29472) reported by Thomas Chauchefoin from SonarSource.” reads the advisory published by SonarSource.

The command injection vulnerability was discovered by researchers from SonarSource who warn that it flaw could have been potentially exploited to conduct a supply-chain attack.

“During our security research, we discovered a critical vulnerability in the source code of Composer which is used by Packagist. It allowed us to execute arbitrary system commands on the Packagist.org server.” reads the post published by SonarSource, “A vulnerability in such a central component, serving more than 100M package metadata requests per month, has a huge impact as this access could have been used to steal maintainers’ credentials or to redirect package downloads to third-party servers delivering backdoored dependencies.”

The issue was reported on April 22 and the maintainers addressed it in less than 12 hours.

The vulnerability stems from improper sanitization of URLs for repositories in root composer.json files and package source download URLs that could be interpreted as options for system commands executed by Composer.

According to the researchers who discovered the issue, the flaw was introduced in November 2011.

“This problem alone does not yet allow command execution, as the values are appropriately escaped. The parameter injection has been fixed all across Composer with help by Thomas Chauchefoin from SonarSource by separating positional command arguments from options with the — separator where possible, e.g. hg clone — ‘$URL’ instead of hg clone ‘$URL’.” continues the advisory.

Below the timeline for this issue:

DateAction
2021-04-22First contact to security (at) packagist.org
2021-04-22A hotfix is deployed in packagist.org
2021-04-26CVE-2021-29472 assigned by GitHub
2021-04-27Composer 1.10.22 and 2.0.13 are released

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PHP Composer)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

1 hour ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.