Testing for PHP Composer security vulnerabilities with Snyk
source link: https://snyk.io/blog/testing-php-composer-security-vulnerabilities-snyk/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Testing for PHP Composer security vulnerabilities with Snyk
DeveloperSteve
May 20, 2021
PHP is used extensively to power websites. From blogging to ecommerce, it’s embedded in our everyday lives and powers much of the internet we use today. According to a Wappalyzer report on top programming languages of 2020, PHP has a 79% market share of backend languages used on the internet today.
One of the biggest challenges with PHP libraries over the years has been package management. There have been a few ways to easily install and maintain libraries including PECL, CPAN. Special mention to PEAR which was introduced in 2009 became one of the first ways to load and distribute libraries, this later became PEAR2 which eventually became part of PHP Composer (now in its 9th year!) which is what we are going to look at today.
What is PHP Composer?
PHP Composer is a package management tool used to install and update libraries and dependencies in PHP. It gained popularity quite quickly because of the way it loads and maintains libraries and dependencies within frameworks and projects. Driven by the command line, it allows for users to install PHP applications, libraries, and dependencies — with autoload capabilities — within projects. It’s important to note that PHP Composer will not install anything globally.
Let’s look at PHP Composer security
While PHP Composer makes app development faster, it does abstract away a level of control and visibility. So while it makes coding easier, it does beg the question… is it doing it safely? With Snyk, I’m able to answer that question in a few clicks.
Before we take a look at a few platform implementations of PHP Composer in the wild, I just want to point out a few things.
- As a user/developer of these platforms, my findings were surprising for a variety of reasons. This reinforces the idea that continually building awareness and education is paramount for developing securely.
- In all the below instances, I have reached out to discuss the vulnerabilities with each community and raise awareness when not already known to them (many already had fixes).
Kirby
To get started with Kirby and Composer, you can follow the simple setup instructions within the Kirby meets Composer documentation:
composer create-project getkirby/starterkit hello-world
Composer installs the latest version of Kirby (3.3.5), which in the Snyk Vulnerability DB only has one medium and one low severity vulnerability. However, the Snyk CLI finds a problem with one of the dependencies, namely PHPMailer which uses version 6.2.0. This version of PHP Mailer shows up as having a high severity vulnerability for cross site scripting.
This is fixed in PHPMailer 6.4.1 (at the time of writing), and can be fixed by running composer upgrade to the latest version. Looking back through the history of the module shows a long history of vulnerabilities. Which is why regular scanning with Snyk Code is highly recommended to be alerted if new vulnerabilities are discovered.
Joomla
The Joomla repo comes with a Composer file that installs all of the dependencies needed for it to be run. Running a scan using the Snyk CLI, we find 2 issues and 4 vulnerable paths.
✗ Medium severity vulnerability found in phpmailer/phpmailer
Description: Improper Input Validation
Info: https://snyk.io/vuln/SNYK-PHP-PHPMAILERPHPMAILER-570519
Introduced through: phpmailer/[email protected]
From: phpmailer/[email protected]
Fixed in: 6.1.6
✗ Medium severity vulnerability found in paragonie/random_compat
Description: Man-in-the-Middle (MitM)
Info: https://snyk.io/vuln/SNYK-PHP-PARAGONIERANDOMCOMPAT-72081
Introduced through: paragonie/[email protected], joomla/[email protected], paragonie/[email protected]
From: paragonie/[email protected]
From: joomla/[email protected] > paragonie/[email protected]
From: paragonie/[email protected] > paragonie/[email protected]
Fixed in: 2.0
Organization: developersteve-285
Package manager: composer
Target file: composer.lock
Project name: joomla/joomla-cms
Open source: no
Project path: /php/joomla-cms
Licenses: enabled
Tested 39 dependencies for known issues, found 2 issues, 4 vulnerable paths.
Tip: Detected multiple supported manifests (2), use --all-projects to scan all of them at once.
In particular we again find PHP Mailer, which installs version 5.2.28. This version has the issue of improper input validation, and Snyk tells us that it is fixed in version 6.1.6.
Snyk also discovered a man-in-the-middle (MITM) vulnerability, which is being loaded in via `paragoine/random_compat` in version 1.4.3 and is associated with `joomla/session`. MitM attacks are extremely bad, as they allow electronic eavesdropping. To learn more about this kind of vulnerability, check out our man-in-the-middle attack blog.
Drupal
Using the handy guide in the Drupal repo, we can get up and running quickly using the latest 9.x dev branch.
composer create-project drupal-composer/drupal-project:9.x-dev some-dir --no-interaction
While the installation is running, we can check for any known issues in the Snyk Vulnerability Database, which also shows Drupal version history vulnerabilities to watch out for. Then, using the Snyk CLI, we can see that 9.x comes back green. And just to be extra safe, we can do the same with Drupal 8.x, and see that it also comes back green. Great!
Now that those two versions are cleared, let’s also run a check of Drupal 7, as it is still used a fair bit. To do this, clone the Drupal 7.x repo.
Scanning against 7.x, the Snyk CLI results are a little different, showing 9 vulnerabilities and 18 vulnerable paths. Everything from file upload exploits through to DoS, remote code execution (RCE), and arbitrary code execution (ACE).
✗ Medium severity vulnerability found in drupal/drupal
Description: Cross-site Scripting (XSS)
Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-174348
Introduced through: drupal/[email protected], drupal/[email protected]
From: drupal/[email protected]
From: drupal/[email protected] > drupal/[email protected]
Fixed in: 8.5.15, 8.6.15
✗ Medium severity vulnerability found in drupal/drupal
Description: Arbitrary Code Execution
Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-174350
Introduced through: drupal/[email protected], drupal/[email protected]
From: drupal/[email protected]
From: drupal/[email protected] > drupal/[email protected]
Fixed in: 8.5.15, 8.6.15
✗ Medium severity vulnerability found in drupal/drupal
Description: Access Control Bypass
Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-174352
Introduced through: drupal/[email protected], drupal/[email protected]
From: drupal/[email protected]
From: drupal/[email protected] > drupal/[email protected]
Fixed in: 8.5.15, 8.6.16
✗ Medium severity vulnerability found in drupal/drupal
Description: Access Restriction Bypass
Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-538566
Introduced through: drupal/[email protected], drupal/[email protected]
From: drupal/[email protected]
From: drupal/[email protected] > drupal/[email protected]
Fixed in: 8.7.11, 8.8.1
✗ Medium severity vulnerability found in drupal/drupal
Description: Arbitrary File Upload
Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-538568
Introduced through: drupal/[email protected], drupal/[email protected]
From: drupal/[email protected]
From: drupal/[email protected] > drupal/[email protected]
Fixed in: 8.7.11, 8.8.1
✗ Medium severity vulnerability found in drupal/drupal
Description: Denial of Service (DoS)
Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-538570
Introduced through: drupal/[email protected], drupal/[email protected]
From: drupal/[email protected]
From: drupal/[email protected] > drupal/[email protected]
Fixed in: 8.7.11, 8.8.1
✗ High severity vulnerability found in drupal/drupal
Description: Arbitrary Code Execution
Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-1048286
Introduced through: drupal/[email protected], drupal/[email protected]
From: drupal/[email protected]
From: drupal/[email protected] > drupal/[email protected]
✗ High severity vulnerability found in drupal/drupal
Description: Remote Code Execution (RCE)
Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-173722
Introduced through: drupal/[email protected], drupal/[email protected]
From: drupal/[email protected]
From: drupal/[email protected] > drupal/[email protected]
Fixed in: 8.5.11, 8.6.10
✗ High severity vulnerability found in drupal/drupal
Description: Access Restriction Bypass
Info: https://snyk.io/vuln/SNYK-PHP-DRUPALDRUPAL-70088
Introduced through: drupal/[email protected], drupal/[email protected]
From: drupal/[email protected]
From: drupal/[email protected] > drupal/[email protected]
Fixed in: 8.3.1, 8.2.8
Organization: developersteve-285
Package manager: composer
Target file: composer.lock
Project name: drupal-composer/drupal-project
Open source: no
Project path: /Users/developersteve/Desktop/Code/php/drupal/7/my_site_name_dir
Licenses: enabled
Tested 40 dependencies for known issues, found 9 issues, 18 vulnerable paths.
Based on these findings, I would recommend upgrading to 8.x at a minimum to keep your Drupal implementation secure.
Help the communities by contributing back
When I first started running tests on some of these commonly used platforms I actually didn’t know what I would find. And as I said before, the results were quite surprising. For the unsuspecting developer, team, or company using these platforms in production, they may not be aware what exactly is being let in. Hopefully this blog helps more teams stay safe.
But I’m just one developer and this is just one blog. For us to really make a big security impact, I’d encourage you all to test projects yourself and contribute to the fixes. These are amazing communities quite often run by passionate developers who want to build things used to help people the world over and they need your support.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK