Testing for PHP Composer security vulnerabilities with Snyk
May 20, 20210 min read
PHP is used extensively to power websites. From blogging to ecommerce, it’s embedded in our everyday lives and powers much of the internet we use today. According to a Wappalyzer report on top programming languages of 2020, PHP has a 79% market share of backend languages used on the internet today.
One of the biggest challenges with PHP libraries over the years has been package management. There have been a few ways to easily install and maintain libraries including PECL, CPAN. Special mention to PEAR which was introduced in 2009 became one of the first ways to load and distribute libraries, this later became PEAR2 which eventually became part of PHP Composer (now in its 9th year!) which is what we are going to look at today.
What is PHP Composer?
PHP Composer is a package management tool used to install and update libraries and dependencies in PHP. It gained popularity quite quickly because of the way it loads and maintains libraries and dependencies within frameworks and projects. Driven by the command line, it allows for users to install PHP applications, libraries, and dependencies — with autoload capabilities — within projects. It’s important to note that PHP Composer will not install anything globally.
Let's look at PHP Composer security
While PHP Composer makes app development faster, it does abstract away a level of control and visibility. So while it makes coding easier, it does beg the question… is it doing it safely? With Snyk, I’m able to answer that question in a few clicks.
Before we take a look at a few platform implementations of PHP Composer in the wild, I just want to point out a few things.
As a user/developer of these platforms, my findings were surprising for a variety of reasons. This reinforces the idea that continually building awareness and education is paramount for developing securely.
In all the below instances, I have reached out to discuss the vulnerabilities with each community and raise awareness when not already known to them (many already had fixes).
To get started with Kirby and Composer, you can follow the simple setup instructions within the Kirby meets Composer documentation:
1composer create-project getkirby/starterkit hello-world
Composer installs the latest version of Kirby (3.3.5), which in the Snyk Vulnerability DB only has one medium and one low severity vulnerability. However, the Snyk CLI finds a problem with one of the dependencies, namely PHPMailer which uses version 6.2.0. This version of PHP Mailer shows up as having a high severity vulnerability for cross site scripting.
This is fixed in PHPMailer 6.4.1 (at the time of writing), and can be fixed by running composer upgrade to the latest version. Looking back through the history of the module shows a long history of vulnerabilities. Which is why regular scanning with Snyk Code is highly recommended to be alerted if new vulnerabilities are discovered.
The Joomla repo comes with a Composer file that installs all of the dependencies needed for it to be run. Running a scan using the Snyk CLI, we find 2 issues and 4 vulnerable paths.
1✗ Medium severity vulnerability found in phpmailer/phpmailer 2 Description: Improper Input Validation 3 Info: https://snyk.io/vuln/SNYK-PHP-PHPMAILERPHPMAILER-570519 4 Introduced through: firstname.lastname@example.org 5 From: email@example.com 6 Fixed in: 6.1.6 7 8✗ Medium severity vulnerability found in paragonie/random_compat 9 Description: Man-in-the-Middle (MitM) 10 Info: https://snyk.io/vuln/SNYK-PHP-PARAGONIERANDOMCOMPAT-72081 11 Introduced through: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org 12 From: email@example.com 13 From: firstname.lastname@example.org > email@example.com 14 From: firstname.lastname@example.org > email@example.com 15 Fixed in: 2.0 16 17Organization: developersteve-285 18Package manager: composer 19Target file: composer.lock 20Project name: joomla/joomla-cms 21Open source: no 22Project path: /php/joomla-cms 23Licenses: enabled 24 25Tested 39 dependencies for known issues, found 2 issues, 4 vulnerable paths. 26 27Tip: Detected multiple supported manifests (2), use --all-projects to scan all of them at once.
In particular we again find PHP Mailer, which installs version 5.2.28. This version has the issue of improper input validation, and Snyk tells us that it is fixed in version 6.1.6.
Snyk also discovered a man-in-the-middle (MITM) vulnerability, which is being loaded in via `paragoine/random_compat` in version 1.4.3 and is associated with `joomla/session`. MitM attacks are extremely bad, as they allow electronic eavesdropping. To learn more about this kind of vulnerability, check out our man-in-the-middle attack blog.
Using the handy guide in the Drupal repo, we can get up and running quickly using the latest 9.x dev branch.
1composer create-project drupal-composer/drupal-project:9.x-dev some-dir --no-interaction
While the installation is running, we can check for any known issues in the Snyk Vulnerability Database, which also shows Drupal version history vulnerabilities to watch out for. Then, using the Snyk CLI, we can see that 9.x comes back green. And just to be extra safe, we can do the same with Drupal 8.x, and see that it also comes back green. Great!
Now that those two versions are cleared, let’s also run a check of Drupal 7, as it is still used a fair bit. To do this, clone the Drupal 7.x repo.
Scanning against 7.x, the Snyk CLI results are a little different, showing 9 vulnerabilities and 18 vulnerable paths. Everything from file upload exploits through to DoS, remote code execution (RCE), and arbitrary code execution (ACE).
1✗ Medium severity vulnerability found in drupal/drupal 2 Description: Cross-site Scripting (XSS) 3 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-174348 4 Introduced through: firstname.lastname@example.org, email@example.com 5 From: firstname.lastname@example.org 6 From: email@example.com > firstname.lastname@example.org 7 Fixed in: 8.5.15, 8.6.15 8 9✗ Medium severity vulnerability found in drupal/drupal 10 Description: Arbitrary Code Execution 11 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-174350 12 Introduced through: email@example.com, firstname.lastname@example.org 13 From: email@example.com 14 From: firstname.lastname@example.org > email@example.com 15 Fixed in: 8.5.15, 8.6.15 16 17✗ Medium severity vulnerability found in drupal/drupal 18 Description: Access Control Bypass 19 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-174352 20 Introduced through: firstname.lastname@example.org, email@example.com 21 From: firstname.lastname@example.org 22 From: email@example.com > firstname.lastname@example.org 23 Fixed in: 8.5.15, 8.6.16 24 25✗ Medium severity vulnerability found in drupal/drupal 26 Description: Access Restriction Bypass 27 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-538566 28 Introduced through: email@example.com, firstname.lastname@example.org 29 From: email@example.com 30 From: firstname.lastname@example.org > email@example.com 31 Fixed in: 8.7.11, 8.8.1 32 33✗ Medium severity vulnerability found in drupal/drupal 34 Description: Arbitrary File Upload 35 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-538568 36 Introduced through: firstname.lastname@example.org, email@example.com 37 From: firstname.lastname@example.org 38 From: email@example.com > firstname.lastname@example.org 39 Fixed in: 8.7.11, 8.8.1 40 41✗ Medium severity vulnerability found in drupal/drupal 42 Description: Denial of Service (DoS) 43 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-538570 44 Introduced through: email@example.com, firstname.lastname@example.org 45 From: email@example.com 46 From: firstname.lastname@example.org > email@example.com 47 Fixed in: 8.7.11, 8.8.1 48 49✗ High severity vulnerability found in drupal/drupal 50 Description: Arbitrary Code Execution 51 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-1048286 52 Introduced through: firstname.lastname@example.org, email@example.com 53 From: firstname.lastname@example.org 54 From: email@example.com > firstname.lastname@example.org 55 56✗ High severity vulnerability found in drupal/drupal 57 Description: Remote Code Execution (RCE) 58 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-173722 59 Introduced through: email@example.com, firstname.lastname@example.org 60 From: email@example.com 61 From: firstname.lastname@example.org > email@example.com 62 Fixed in: 8.5.11, 8.6.10 63 64✗ High severity vulnerability found in drupal/drupal 65 Description: Access Restriction Bypass 66 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-70088 67 Introduced through: firstname.lastname@example.org, email@example.com 68 From: firstname.lastname@example.org 69 From: email@example.com > firstname.lastname@example.org 70 Fixed in: 8.3.1, 8.2.8 71 72Organization: developersteve-285 73Package manager: composer 74Target file: composer.lock 75Project name: drupal-composer/drupal-project 76Open source: no 77Project path: /Users/developersteve/Desktop/Code/php/drupal/7/my_site_name_dir 78Licenses: enabled 79 80Tested 40 dependencies for known issues, found 9 issues, 18 vulnerable paths.
Based on these findings, I would recommend upgrading to 8.x at a minimum to keep your Drupal implementation secure.
Help the communities by contributing back
When I first started running tests on some of these commonly used platforms I actually didn't know what I would find. And as I said before, the results were quite surprising. For the unsuspecting developer, team, or company using these platforms in production, they may not be aware what exactly is being let in. Hopefully this blog helps more teams stay safe.
But I’m just one developer and this is just one blog. For us to really make a big security impact, I’d encourage you all to test projects yourself and contribute to the fixes. These are amazing communities quite often run by passionate developers who want to build things used to help people the world over and they need your support.
Keep your open source dependencies secure
Snyk provides one-click fix PRs for vulnerable open source dependencies and their transitive dependencies.