Security News > 2022 > April > 15-Year-Old Bug in PEAR PHP Repository Could've Enabled Supply Chain Attacks

A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code.
"An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server," SonarSource vulnerability researcher Thomas Chauchefoin said in a write-up published this week.
PEAR, short for PHP Extension and Application Repository, is a framework and distribution system for reusable PHP components.
One of the issues, introduced in a code commit made in March 2007 when the feature was originally implemented, relates to the use of the cryptographically insecure mt rand() PHP function in the password reset functionality that could allow an attacker to "Discover a valid password reset token in less than 50 tries."
The findings mark the second time security issues have been uncovered in the PHP supply chain in less than a year.
With software supply chain attacks emerging as a dangerous threat in the wake of protestware incidents aimed at widely-used libraries in the NPM ecosystem, security issues tied to code dependencies in software are back in the spotlight, prompting the Open Source Initiative to call the "Weaponization of open source" an act of cyber vandalism that "Outweigh[s] any possible benefit."
News URL
https://thehackernews.com/2022/04/15-year-old-bug-in-pear-php-repository.html
Related news
- SpotBugs Access Token Theft Identified as Root Cause of GitHub Supply Chain Attack (source)
- That massive GitHub supply chain attack? It all started with a stolen SpotBugs token (source)
- Ripple's xrpl.js npm Package Backdoored to Steal Private Keys in Major Supply Chain Attack (source)
- Ripple NPM supply chain attack hunts for private keys (source)
- Magento supply chain attack compromises hundreds of e-stores (source)
- Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack (source)
- Supply chain attack hits npm package with 45,000 weekly downloads (source)
- RVTools hit in supply chain attack to deliver Bumblebee malware (source)
- DragonForce ransomware abuses SimpleHelp in MSP supply chain attack (source)