Packagist

The maintainers of Packagist, the PHP ecosystem's largest package repository, have fixed a critical vulnerability on their official website that could have allowed an attacker to hijack their service.

The flaw was discovered and reported by security researcher Max Justicz.

According to Justicz, the "Submit Package" input field for submitting new PHP packages via the Packagist homepage allowed an attacker to run a malicious command in the format of "$(MALICIOUS_COMMANDS)".

Wiz

The root cause of this issue was that the Packagist service was expecting the input to be an URL to a source code repository hosted on a Git, Perforce, Subversion, or Mercurial server.

Justicz discovered that Packagist was improperly escaping inputted characters when performing checks to see if the URL leads to a Perforce or Subversion repository, and was executing the malicious commands —twice, once for the Perforce check and again for the Subversion check.

Depending on an attacker's skill level, one could have easily hijacked the Packagist underlying server and perform more intrusive actions.

The issue is now fixed, according to a blog post Justicz published yesterday.

Packagist serves over 400 million packages per month

Packagist is not a package manager, but only a host for PHP packages. It is the default package host behind Composer, the most popular PHP package manager. Packagist is the largest package hosting service in the PHP ecosystem, with over 435 million package installs reported in July 2018 alone.

The Packagist team did not answer a request for comment.

Justicz has a habit of finding and reporting flaws in popular programming language package managers and related services. He previously reported and helped fix:

- a remote code execution flaw on RubyGems.org, Ruby's main package repository (hosting service)
- a flaw that allowed attackers to delete files from the Python Package Index (PyPI)
- a remote code execution in a mirror of the npmjs.org service, the JavaScript ecosystem's main package repository
- a flaw in Unpkg.com, a popular CDN for npm JavaScript packages

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

Learn Python, C++, and more with this $25 all-in-one coding bundle

Malicious npm package steals WhatsApp accounts and messages

Critical RCE flaw impacts over 115,000 WatchGuard firewalls

New critical WatchGuard Firebox firewall flaw exploited in attacks

HPE warns of maximum severity RCE flaw in OneView software