About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

PHP Supply Chain Attack on Composer- 472

Thomas Chauchefoin - Sonar SourcePosted 4 Years Ago
  • Composer is a package manager that is used for PHP. In Python, a reasonable comparison is pip. Finding vulnerabilities in package managers can compromise users at scale.
  • When downloading a package Composer makes a query to Packagist in order to get the metadata for the package. In order to do this, Composer uses several system commands by using ProcessExecutor so that they do not need to redo the logic for different version control software, such as git.
  • The URL for this request is escaped properly to prevent straight command injection. So, what's the problem? The command itself can have parameter or arguments injection into it! Using this argument injection, arbitrary parameters can be added to bash calls.
  • Using this argument injection, it was possible to specify another configuration for the hg version control code. This configuration can have bash aliases defined in it (lolz). With this, we can create an alias to pop a shell :)
  • Argument injection is difficult to exploit but is super interesting to look at! It is commonly overlooked but can have dangerous consequences.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed