15-Year-Old Bug in PEAR PHP Repository Could've Enabled Supply Chain Attacks
Apr 02, 2022
A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code. "An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server," SonarSource vulnerability researcher Thomas Chauchefoin said in a write-up published this week. PEAR, short for PHP Extension and Application Repository, is a framework and distribution system for reusable PHP components. One of the issues, introduced in a code commit made in March 2007 when the feature was originally implemented, relates to the use of the cryptographically insecure mt_rand() PHP function in the password reset functionality that could allow an attacker to "discover a valid password rese...
