Sunday, December 29, 2024
HomeCVE/vulnerability15-Year-old Security Vulnerability In The PEAR PHP Repository Permits Supply Chain Attack

15-Year-old Security Vulnerability In The PEAR PHP Repository Permits Supply Chain Attack

Published on

SIEM as a Service

PEAR PHP repository has been found to contain a 15-year-old security vulnerability that could provide an attacker with the ability to carry out a supply chain attack on the system.

The attacker could also obtain unauthorized access to perform arbitrary acts such as publishing rogue packages and executing arbitrary code in addition to the supply chain attack.

PEAR is a framework for distributing PHP components in a reusable and modular form. 

- Advertisement - SIEM as a Service

Flaw in the PEAR PHP repository

This vulnerability potentially showed a way for the threat actors with low-level skills to exploit a critical component of the PHP supply chain to cause major trouble.

When the feature was originally implemented, one of the problems was introduced by a code commit (made in March 2007) that used a cryptographically insecure PHP function called “mt_rand()”.

The threat actors could also be able to discover a valid password reset token within less than 50 attempts with this functionality.

The PEAR client itself, Console_Getopt, Archive_Tar, and Mail rank as the most popular packages downloaded from pear.php.net, with over 285 million packages downloaded in total.

In spite of Composer’s large market share, PEAR packages continue to be downloaded thousands of times each month.

Here’s what Thomas Chauchefoin, the vulnerability researcher at SonarSource stated:-

“An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server.”

However, SonarSource’s security analysts have identified two security flaws that can be exploited for over 15 years. While here below we have mentioned them and also presented the proof of concept as well:-

  • Successful exploitation of the first flaw would allow malicious releases to be published from any developer account.
  • While by exploiting the second flaw, the threat actors can gain persistent access to the PEAR server hosted by the central PEAR server.

There is a source code project called pearweb, which can be found on GitHub and it is the source code behind pear.php.net. 

Researchers have discovered that the pearweb pulled the dependency Archive_Tar in an old version (1.4.7, rather than its latest version 1.4.14), and therefore missed out on several other features while deploying the pearweb on their test virtual machine.

An older version of Archive_Tar is known to contain a directory traversal vulnerability that can potentially lead to arbitrary code execution. This vulnerability has been tracked as “CVE-2020-36193” across a number of versions.

There have been two malicious attacks detected in the PHP supply chain in less than a year, making it the second time issues have been discovered.

While in late April 2021, critical vulnerabilities were divulged in the Composer PHP package manager that could enable an adversary to execute arbitrary commands.

The Composer PHP package manager, which includes the PHP programming language and a large number of additional modules, was found to be vulnerable to critical vulnerabilities in late April 2021.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a...

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms...

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a...

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms...