“Researchers from SonarSource discovered two 15-year-old security flaws in the PEAR (PHP Extension and Application Repository) repository that could have enabled supply chain attacks. PEAR is a framework and distribution system for reusable PHP components” (Security Affairs, 2022).
The vulnerability has been deemed critical because it can easily be exploited by a low-skilled threat actor, it also resides in a central component of the PHP supply chain. Using the vulnerability, and attacker can take over any developer account and even publish malicious releases.
In one case, the flaw can be used to impact the PHP password reset functionality, which allows the attacker to discover a valid password reset token. “Once obtained the password for a developer’s account, threat actors can use it to conduct a supply chain attack by pushing a tainted version of their packages” (Security Affairs, 2022).
The source code behind pear.php.net can be found on a GitHub project named pearweb.
“Upon deploying pearweb on their test virtual machine, the researchers discovered that it pulled the dependency Archive_Tar in an old version (1.4.7, while the last one is 1.4.14). The older version of Archive_Tar is known to be affected by a directory traversal flaw tracked as (CVE-2020-36193) that could potentially lead to arbitrary code execution” (Security Affairs, 2022).
These vulnerabilities have resided in PEAR for nearly a decade. Organizations using PEAR applications need to audit their systems and identify what is exploitable. Because a proof of concept has been released, we expect threat actors to capitalize on the vulnerability.
We recommend reviewing your use of PEAR and consider migrating to Composer, where the contributors community is more active and the same packages are available.