Testing for PHP Composer security vulnerabilities with Snyk
20 de maio de 2021
0 minutos de leituraPHP is used extensively to power websites. From blogging to ecommerce, it’s embedded in our everyday lives and powers much of the internet we use today. According to a Wappalyzer report on top programming languages of 2020, PHP has a 79% market share of backend languages used on the internet today.
One of the biggest challenges with PHP libraries over the years has been package management. There have been a few ways to easily install and maintain libraries including PECL, CPAN. Special mention to PEAR which was introduced in 2009 became one of the first ways to load and distribute libraries, this later became PEAR2 which eventually became part of PHP Composer (now in its 9th year!) which is what we are going to look at today.
What is PHP Composer?
PHP Composer is a package management tool used to install and update libraries and dependencies in PHP. It gained popularity quite quickly because of the way it loads and maintains libraries and dependencies within frameworks and projects. Driven by the command line, it allows for users to install PHP applications, libraries, and dependencies — with autoload capabilities — within projects. It’s important to note that PHP Composer will not install anything globally.
Let's look at PHP Composer security
While PHP Composer makes app development faster, it does abstract away a level of control and visibility. So while it makes coding easier, it does beg the question… is it doing it safely? With Snyk, I’m able to answer that question in a few clicks.
Before we take a look at a few platform implementations of PHP Composer in the wild, I just want to point out a few things.
As a user/developer of these platforms, my findings were surprising for a variety of reasons. This reinforces the idea that continually building awareness and education is paramount for developing securely.
In all the below instances, I have reached out to discuss the vulnerabilities with each community and raise awareness when not already known to them (many already had fixes).
Kirby
To get started with Kirby and Composer, you can follow the simple setup instructions within the Kirby meets Composer documentation:
1composer create-project getkirby/starterkit hello-world
Composer installs the latest version of Kirby (3.3.5), which in the Snyk Vulnerability DB only has one medium and one low severity vulnerability. However, the Snyk CLI finds a problem with one of the dependencies, namely PHPMailer which uses version 6.2.0. This version of PHP Mailer shows up as having a high severity vulnerability for cross site scripting.
This is fixed in PHPMailer 6.4.1 (at the time of writing), and can be fixed by running composer upgrade to the latest version. Looking back through the history of the module shows a long history of vulnerabilities. Which is why regular scanning with Snyk Code is highly recommended to be alerted if new vulnerabilities are discovered.
Joomla
The Joomla repo comes with a Composer file that installs all of the dependencies needed for it to be run. Running a scan using the Snyk CLI, we find 2 issues and 4 vulnerable paths.
1✗ Medium severity vulnerability found in phpmailer/phpmailer
2 Description: Improper Input Validation
3 Info: https://snyk.io/vuln/SNYK-PHP-PHPMAILERPHPMAILER-570519
4 Introduced through: phpmailer/phpmailer@5.2.28
5 From: phpmailer/phpmailer@5.2.28
6 Fixed in: 6.1.6
7
8✗ Medium severity vulnerability found in paragonie/random_compat
9 Description: Man-in-the-Middle (MitM)
10 Info: https://snyk.io/vuln/SNYK-PHP-PARAGONIERANDOMCOMPAT-72081
11 Introduced through: paragonie/random_compat@1.4.3, joomla/session@1.6.0, paragonie/sodium_compat@1.9.1
12 From: paragonie/random_compat@1.4.3
13 From: joomla/session@1.6.0 > paragonie/random_compat@1.4.3
14 From: paragonie/sodium_compat@1.9.1 > paragonie/random_compat@1.4.3
15 Fixed in: 2.0
16
17Organization: developersteve-285
18Package manager: composer
19Target file: composer.lock
20Project name: joomla/joomla-cms
21Open source: no
22Project path: /php/joomla-cms
23Licenses: enabled
24
25Tested 39 dependencies for known issues, found 2 issues, 4 vulnerable paths.
26
27Tip: Detected multiple supported manifests (2), use --all-projects to scan all of them at once.
In particular we again find PHP Mailer, which installs version 5.2.28. This version has the issue of improper input validation, and Snyk tells us that it is fixed in version 6.1.6.
Snyk also discovered a man-in-the-middle (MITM) vulnerability, which is being loaded in via `paragoine/random_compat` in version 1.4.3 and is associated with `joomla/session`. MitM attacks are extremely bad, as they allow electronic eavesdropping. To learn more about this kind of vulnerability, check out our man-in-the-middle attack blog.
Drupal
Using the handy guide in the Drupal repo, we can get up and running quickly using the latest 9.x dev branch.
1composer create-project drupal-composer/drupal-project:9.x-dev some-dir --no-interaction
While the installation is running, we can check for any known issues in the Snyk Vulnerability Database, which also shows Drupal version history vulnerabilities to watch out for. Then, using the Snyk CLI, we can see that 9.x comes back green. And just to be extra safe, we can do the same with Drupal 8.x, and see that it also comes back green. Great!
Now that those two versions are cleared, let’s also run a check of Drupal 7, as it is still used a fair bit. To do this, clone the Drupal 7.x repo.
Scanning against 7.x, the Snyk CLI results are a little different, showing 9 vulnerabilities and 18 vulnerable paths. Everything from file upload exploits through to DoS, remote code execution (RCE), and arbitrary code execution (ACE).
1✗ Medium severity vulnerability found in drupal/drupal
2 Description: Cross-site Scripting (XSS)
3 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-174348
4 Introduced through: drupal/drupal@7.80.0, drupal/composer_autoloader@1.3.0
5 From: drupal/drupal@7.80.0
6 From: drupal/composer_autoloader@1.3.0 > drupal/drupal@7.80.0
7 Fixed in: 8.5.15, 8.6.15
8
9✗ Medium severity vulnerability found in drupal/drupal
10 Description: Arbitrary Code Execution
11 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-174350
12 Introduced through: drupal/drupal@7.80.0, drupal/composer_autoloader@1.3.0
13 From: drupal/drupal@7.80.0
14 From: drupal/composer_autoloader@1.3.0 > drupal/drupal@7.80.0
15 Fixed in: 8.5.15, 8.6.15
16
17✗ Medium severity vulnerability found in drupal/drupal
18 Description: Access Control Bypass
19 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-174352
20 Introduced through: drupal/drupal@7.80.0, drupal/composer_autoloader@1.3.0
21 From: drupal/drupal@7.80.0
22 From: drupal/composer_autoloader@1.3.0 > drupal/drupal@7.80.0
23 Fixed in: 8.5.15, 8.6.16
24
25✗ Medium severity vulnerability found in drupal/drupal
26 Description: Access Restriction Bypass
27 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-538566
28 Introduced through: drupal/drupal@7.80.0, drupal/composer_autoloader@1.3.0
29 From: drupal/drupal@7.80.0
30 From: drupal/composer_autoloader@1.3.0 > drupal/drupal@7.80.0
31 Fixed in: 8.7.11, 8.8.1
32
33✗ Medium severity vulnerability found in drupal/drupal
34 Description: Arbitrary File Upload
35 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-538568
36 Introduced through: drupal/drupal@7.80.0, drupal/composer_autoloader@1.3.0
37 From: drupal/drupal@7.80.0
38 From: drupal/composer_autoloader@1.3.0 > drupal/drupal@7.80.0
39 Fixed in: 8.7.11, 8.8.1
40
41✗ Medium severity vulnerability found in drupal/drupal
42 Description: Denial of Service (DoS)
43 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-538570
44 Introduced through: drupal/drupal@7.80.0, drupal/composer_autoloader@1.3.0
45 From: drupal/drupal@7.80.0
46 From: drupal/composer_autoloader@1.3.0 > drupal/drupal@7.80.0
47 Fixed in: 8.7.11, 8.8.1
48
49✗ High severity vulnerability found in drupal/drupal
50 Description: Arbitrary Code Execution
51 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-1048286
52 Introduced through: drupal/drupal@7.80.0, drupal/composer_autoloader@1.3.0
53 From: drupal/drupal@7.80.0
54 From: drupal/composer_autoloader@1.3.0 > drupal/drupal@7.80.0
55
56✗ High severity vulnerability found in drupal/drupal
57 Description: Remote Code Execution (RCE)
58 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-173722
59 Introduced through: drupal/drupal@7.80.0, drupal/composer_autoloader@1.3.0
60 From: drupal/drupal@7.80.0
61 From: drupal/composer_autoloader@1.3.0 > drupal/drupal@7.80.0
62 Fixed in: 8.5.11, 8.6.10
63
64✗ High severity vulnerability found in drupal/drupal
65 Description: Access Restriction Bypass
66 Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-70088
67 Introduced through: drupal/drupal@7.80.0, drupal/composer_autoloader@1.3.0
68 From: drupal/drupal@7.80.0
69 From: drupal/composer_autoloader@1.3.0 > drupal/drupal@7.80.0
70 Fixed in: 8.3.1, 8.2.8
71
72Organization: developersteve-285
73Package manager: composer
74Target file: composer.lock
75Project name: drupal-composer/drupal-project
76Open source: no
77Project path: /Users/developersteve/Desktop/Code/php/drupal/7/my_site_name_dir
78Licenses: enabled
79
80Tested 40 dependencies for known issues, found 9 issues, 18 vulnerable paths.
Based on these findings, I would recommend upgrading to 8.x at a minimum to keep your Drupal implementation secure.
Help the communities by contributing back
When I first started running tests on some of these commonly used platforms I actually didn't know what I would find. And as I said before, the results were quite surprising. For the unsuspecting developer, team, or company using these platforms in production, they may not be aware what exactly is being let in. Hopefully this blog helps more teams stay safe.
But I’m just one developer and this is just one blog. For us to really make a big security impact, I’d encourage you all to test projects yourself and contribute to the fixes. These are amazing communities quite often run by passionate developers who want to build things used to help people the world over and they need your support.
Primeiros passos com Capture the Flag
Saiba como resolver desafios de Capture the Flag assistindo ao nosso workshop virtual de conceitos básicos sob demanda.