Security News > 2021 > April > PHP community sidesteps its third supply chain attack in three years

Supply chain researcher Max Justicz noticed that he could upload new PHP packages that would trick the Packagist system into running commands of his choice, rather than simply dowloading and publishing his submission.

The 2018 exploit involved simply swapping out a URL for a system command, and instead of Composer downloading data from a URL, it would inadvertently run the command inserted where the URL was supposed to be.

The Composer programmers added a step to their code to do what's known as a command line sanitising, so that any URL that contains sneaky system commands no longer works as an attacker intended.

Uname # Run the uname command explicitly Linux $ uname=whoami # Set a Bash variable called uname $ echo uname # Prints the text uname directly uname $ echo $uname # Print the value of the variable uname whoami $ echo $(uname) # Run the command uname and pass its output to 'echo' Linux $ echo $($uname) # Run the command stored in $uname and pass that output to 'echo' duck $ echo $($uname) # 'Escape' the chars $() so they get taken literally $($uname).

Thanks to the command line sanitising above, the researchers couldn't supply a booby-trapped URL to mislead the remote cURL command, as Max Justicz did in 2018.

It's always a security problem if you have legal filenames that can cause trouble if they are passed to system commands and misinterpreted as command options rather than command arguments.

News URL

https://nakedsecurity.sophos.com/2021/04/30/php-community-sidesteps-its-third-supply-chain-attack-in-three-years/