News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
Composer Downloading Random Code Is Not A Security Vulnerability?
February 21, 2014 @ 10:04:52

In his latest post Pádraic Bradyhas posted a response to a recent post stating that in issue in Composer where the wrong package could be installed is not a security issue. Pádraic disagrees, here's why:

The problem here is quite simple. A user defines a composer.json file that requires the package bloggs/framework. Someone else creates a package on Packagist.org called evil/framework whose own composer.json states that it replaces bloggs/framework. Next, a group of poor random victims, potentially thousands, use composer to install applications with a dependency on bloggs/framework. Composer does some internal wizardry and installs evil/framework when certain conditions are met. The victims didn't request evil/framework but they get it anyway.

He suggests that this is a kind of remote file inclusion and possibly a remote code execution vulnerabilities. He points out that the manual steps suggested in the post aren't listed in the Composer documentation and fixes for it are still pending work.

Saying one thing, but acting like it's the other thing you don't want people to call it, makes me think it really is the other thing. Probably because it is. Users can fall victim to a replace and it's called "unintuitive", but if a package states that it replaces something that might lead to the unintuitive behaviour, it's an abuse.
0 comments voice your opinion now!
composer random code vulnerability security package

Link: http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/

blog comments powered by Disqus

Similar Posts

Chris Jones: Tracing Silex from PHP to the OS with DTrace

Jamie Rumbelow's Blog: Wrap me up and put me in a box

Mike Willbanks' Blog: RPM Packaging - Building and Deploying your own PHP

HowToForge.com: Installing Lighttpd With PHP5 And MySQL Support On OpenSUSE 11.1

DevShed: Web Application Security Overview


Community Events

Don't see your event here?
Let us know!


community unittest laravel5 interview opinion release extension framework wordpress development series laravel introduction library conference podcast voicesoftheelephpant middleware language api

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework