Security News
A keen-eyed researcher at SANS recently wrote about a new and rather specific sort of supply chain attack against open-source software modules in Python and PHP. Following on-line discussions about a suspicious public Python module, Yee Ching Tok noted that a package called ctx in the popular PyPi repository had suddenly received an "Update", despite not otherwise being touched since late 2014. In theory, of course, there's nothing wrong with old packages suddenly coming back to life.
Yesterday, developers took notice of two hugely popular Python and PHP libraries, respectively, 'ctx' and 'PHPass' that had been hijacked, as first reported in the news by BleepingComputer. According to the hacker, rather "Security researcher," this was a bug bounty exercise and no malicious activity was intended.
The threat actor even replaced the older, safe versions of 'ctx' with code that exfiltrates the developer's environment variables, to collect secrets like Amazon AWS keys and credentials. Versions of a 'phpass' fork published to the PHP/Composer package repository Packagist had been altered to steal secrets in a similar fashion.
PyPI module 'ctx' that gets downloaded over 20,000 times a week has been compromised in a software supply chain attack with malicious versions stealing the developer's environment variables. The threat actor even replaced the older, safe versions of 'ctx' with code that exfiltrates the developer's environment variables, to collect secrets like Amazon AWS keys and credentials.
A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code. "An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server," SonarSource vulnerability researcher Thomas Chauchefoin said in a write-up published this week.
Released yesterday [2022-02-17], this version fixes various memory mismanagement bugs, including CVE-2021-21708, which is a use-after-free blunder in a function called php filter float(). A proof-of-concept exploit based on using PHP to query a database shows that the bug can be used to crash the PHP process, so a working Denial of Service attack is already known to be possible.
Tens of thousands of WordPress sites are at risk from critical vulnerabilities in a widely used plug-in that facilitates the use of PHP code on a site. The plug-in does precisely what its name suggests, allowing WordPress site developers to put PHP code in various components of a site, including pages, posts and sidebars.
Critical security vulnerabilities have been disclosed in a WordPress plugin known as PHP Everywhere that's used by more than 30,000 websites worldwide and could be abused by an attacker to execute arbitrary code on affected systems. PHP Everywhere is used to flip the switch on PHP code across WordPress installations, enabling users to insert and execute PHP-based code in the content management system's Pages, Posts, and Sidebar.
PHP Everywhere is a plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, and use it to display dynamic content based on evaluated PHP expressions. CVE-2022-24663 - Remote code execution flaw exploitable by any subscriber by allowing them to send a request with the 'shortcode' parameter set to PHP Everywhere, and execute arbitrary PHP code on the site.
Cybercrime groups are distributing malicious PHP web shells disguised as a favicon to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with an aim to steal financial information from their users. Injecting web skimmers on e-commerce websites to steal credit card details is a tried-and-tested modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems.