News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
Composer Downloading Random Code Is Not A Security Vulnerability?
February 21, 2014 @ 10:04:52

In his latest post Pádraic Bradyhas posted a response to a recent post stating that in issue in Composer where the wrong package could be installed is not a security issue. Pádraic disagrees, here's why:

The problem here is quite simple. A user defines a composer.json file that requires the package bloggs/framework. Someone else creates a package on Packagist.org called evil/framework whose own composer.json states that it replaces bloggs/framework. Next, a group of poor random victims, potentially thousands, use composer to install applications with a dependency on bloggs/framework. Composer does some internal wizardry and installs evil/framework when certain conditions are met. The victims didn't request evil/framework but they get it anyway.

He suggests that this is a kind of remote file inclusion and possibly a remote code execution vulnerabilities. He points out that the manual steps suggested in the post aren't listed in the Composer documentation and fixes for it are still pending work.

Saying one thing, but acting like it's the other thing you don't want people to call it, makes me think it really is the other thing. Probably because it is. Users can fall victim to a replace and it's called "unintuitive", but if a package states that it replaces something that might lead to the unintuitive behaviour, it's an abuse.
0 comments voice your opinion now!
composer random code vulnerability security package

Link: http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/

blog comments powered by Disqus

Similar Posts

Greg Beaver\'s Blog: PHP_Archive 0.7.0 is released

PHP-Tools Blog: Der Zauberlehrling - Sorcerer's Apprentice

International PHP Magazine: Poll Question: What Makes a Good PHP Security Architecture?

PHPMaster.com: Build Automation with Composer Scripts

IBM developerWorks: Locking down your PHP applications


Community Events





Don't see your event here?
Let us know!


library opinion series api tips update framework list community deployment interview release laravel symfony package zendserver podcast install introduction language

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework