A vulnerability in the PHP Composer could have allowed an attacker to execute arbitrary commands and backdoor every PHP package.
The maintainers of the PHP Composer package have addressed a critical vulnerability, tracked as CVE-2021-29472, that could have allowed an attacker to execute arbitrary commands and establish a backdoor in every PHP package.
Composer is the major tool to manage and install software dependencies, it uses the online service Packagist to determines the correct supply chain for package downloads. It has been estimated that the Packagist infrastructure serves around 1.4 billion download requests each month.
“Please immediately update Composer to version 2.0.13 or 1.10.22 (composer.phar self-update).The new releases include fixes for a command injection security vulnerability (CVE-2021-29472) reported by Thomas Chauchefoin from SonarSource.” reads the advisory published by SonarSource.
The command injection vulnerability was discovered by researchers from SonarSource who warn that it flaw could have been potentially exploited to conduct a supply-chain attack.
“During our security research, we discovered a critical vulnerability in the source code of Composer which is used by Packagist. It allowed us to execute arbitrary system commands on the Packagist.org server.” reads the post published by SonarSource, “A vulnerability in such a central component, serving more than 100M package metadata requests per month, has a huge impact as this access could have been used to steal maintainers’ credentials or to redirect package downloads to third-party servers delivering backdoored dependencies.”
The issue was reported on April 22 and the maintainers addressed it in less than 12 hours.
The vulnerability stems from improper sanitization of URLs for repositories in root composer.json files and package source download URLs that could be interpreted as options for system commands executed by Composer.
According to the researchers who discovered the issue, the flaw was introduced in November 2011.
“This problem alone does not yet allow command execution, as the values are appropriately escaped. The parameter injection has been fixed all across Composer with help by Thomas Chauchefoin from SonarSource by separating positional command arguments from options with the — separator where possible, e.g. hg clone — ‘$URL’ instead of hg clone ‘$URL’.” continues the advisory.
Below the timeline for this issue:
| Date | Action |
|---|---|
| 2021-04-22 | First contact to security (at) packagist.org |
| 2021-04-22 | A hotfix is deployed in packagist.org |
| 2021-04-26 | CVE-2021-29472 assigned by GitHub |
| 2021-04-27 | Composer 1.10.22 and 2.0.13 are released |
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, PHP Composer)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
A vulnerability in the PHP Composer could have allowed an attacker to execute arbitrary commands and backdoor every PHP package.
The maintainers of the PHP Composer package have addressed a critical vulnerability, tracked as CVE-2021-29472, that could have allowed an attacker to execute arbitrary commands and establish a backdoor in every PHP package.
Composer is the major tool to manage and install software dependencies, it uses the online service Packagist to determines the correct supply chain for package downloads. It has been estimated that the Packagist infrastructure serves around 1.4 billion download requests each month.
“Please immediately update Composer to version 2.0.13 or 1.10.22 (composer.phar self-update).The new releases include fixes for a command injection security vulnerability (CVE-2021-29472) reported by Thomas Chauchefoin from SonarSource.” reads the advisory published by SonarSource.
The command injection vulnerability was discovered by researchers from SonarSource who warn that it flaw could have been potentially exploited to conduct a supply-chain attack.
“During our security research, we discovered a critical vulnerability in the source code of Composer which is used by Packagist. It allowed us to execute arbitrary system commands on the Packagist.org server.” reads the post published by SonarSource, “A vulnerability in such a central component, serving more than 100M package metadata requests per month, has a huge impact as this access could have been used to steal maintainers’ credentials or to redirect package downloads to third-party servers delivering backdoored dependencies.”
The issue was reported on April 22 and the maintainers addressed it in less than 12 hours.
The vulnerability stems from improper sanitization of URLs for repositories in root composer.json files and package source download URLs that could be interpreted as options for system commands executed by Composer.
According to the researchers who discovered the issue, the flaw was introduced in November 2011.
“This problem alone does not yet allow command execution, as the values are appropriately escaped. The parameter injection has been fixed all across Composer with help by Thomas Chauchefoin from SonarSource by separating positional command arguments from options with the — separator where possible, e.g. hg clone — ‘$URL’ instead of hg clone ‘$URL’.” continues the advisory.
Below the timeline for this issue:
| Date | Action |
|---|---|
| 2021-04-22 | First contact to security (at) packagist.org |
| 2021-04-22 | A hotfix is deployed in packagist.org |
| 2021-04-26 | CVE-2021-29472 assigned by GitHub |
| 2021-04-27 | Composer 1.10.22 and 2.0.13 are released |
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, PHP Composer)