Busy week for our security research team! This week, we published two new articles describing high-impact vulnerabilities that we found in the most deployed PHP software, namely WordPress and Composer. Let’s have a quick introduction of what happened and you can find out more about the technical details in our blog posts!
PHP Supply Chain Attack on Composer (CVE-2021-29472)
Supply chain attacks are a hot topic for development organizations today. Last year, in the largest ever software supply chain attack, 18,000 SolarWinds customers were infected with a backdoor. Earlier this year, a security researcher was able to breach Apple, Microsoft, Paypal and other tech giants using a new supply chain attack technique.
Most PHP projects use Composer to manage and install their dependencies, easing the update process and ensuring that applications will effortlessly work across environments and versions. By default, Composer uses a public service named Packagist to associate page names and the services to fetch source code from: last month, the public packagist infrastructure served around 1.4 billion download requests!
We discovered a vulnerability in Composer that allowed us to leverage arbitrary command execution on Packagist.org. This access could have allowed us to backdoor packages served to specific users or widespread communities (e.g. Symfony users) by changing the URLs associated to a given package. This bug will be the perfect opportunity to discuss common argument injection patterns, the way it has been used to execute commands, and how to reduce the risk of supply chain attacks when such central components can be compromised. This vulnerability was also responsibly disclosed to Packagist’s security team; they managed to issue a first fix in less than 12 hours!
WordPress 5.7 XXE (CVE-2021-29447)
We recently improved our PHP security engine to detect more OWASP Top 10 and CWE Top 25 issue types. When testing our new analyzers against some of the most popular open-source PHP projects, an interesting issue was raised in the WordPress codebase.
WordPress is the world’s most popular content management system that is used by approximately 40% of all websites. This wide adoption makes it one of the top targets for cyber criminals. Its code is heavily reviewed by the security community and by bug bounty hunters that get paid for reporting security issues. Critical code issues rarely slip through their hands.
In this blog post we are investigating the new vulnerability reported by our analyzer. We explain its root cause, related to PHP 8, and demonstrate how an attacker could leverage it to undermine the security of a WordPress installation. We responsibly disclosed the code vulnerability to the WordPress security team who fixed it in the latest version 5.7.1 and assigned CVE-2021-29447.
Feel free to leave feedback or questions, and stay tuned for our next security research publications!