Rewterz Threat Advisory – PEAR (PHP Extension and Application Repository) Vulnerability

Severity

High

Analysis Summary

A 15-year-old flaw in PEAR PHP repository has been discovered by security researchers, which they believe contributed in Supply Chain Attacks. PEAR is a distribution system and framework for reusable PHP components.

“An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server.” reads the post published by researchers.

The role of this software is to provide a bridge between the name of a package (e.g. Console_Getopt) and the absolute URL where to download it from (e.g. http://download.pear.php.net/package/Console_Getopt-1.4.3.tgz). Its compromise would allow changing this association and force package managers to download packages from unintended sources under the attacker’s control.

By using this exploit against existing developer or administrator accounts, attackers could publish new releases of existing packages after including malicious code in them. It would then be automatically downloaded and executed every time somebody fetches these packages from PEAR. 

Impact

• Code Execution

Affected Vendors

PEAR

Affected Products

• mt_rand() PHP function

Remediation

For patches, refer to the vendor website:

https://github.com/pear/pearweb/commit/69f9531c2aca8866303b8b9efdd72365b6996f81