Critical vulnerability solved in PHP Packagist

Share this…

A cyber security researcher helped to report the flaw

The maintainers of Packagist, the largest package repository in the PHP ecosystem, have solved a critical vulnerability on their official website that might have allowed an attacker to hijack their services. The vulnerability was discovered and reported by cyber security organization researcher Max Justicz.

According to the researcher, “Summit Package” input field  for sending new PHP packages through the Packagist homepage allowed an attacker to execute a malicious command in the format  “$ (MALICIOUS_COMMANDS) “.

The main cause of this problem was that the Packagist service expected the input to be a URL that would be redirected to a source repository hosted on a Git, perforce, Subversion, or Mercurial server.

The cyber security organization expert found that Packagist was incorrectly escaping the characters entered when performing checks to see if the URL leads to a perforce or Subversion repository, and was executing malicious commands: once for the Perforce check and twice for subversion verification.

Depending on the skill level of a potential attacker, someone could easily hijack the underlying Packagist server and perform more malicious actions.

The vulnerability has already been corrected, according to Max Justicz.

The aforementioned cyber security organization researcher has found and reported several vulnerabilities in popular programming language servers. He previously informed and helped to correct:

  • A remote code execution vulnerability in, the main repository of Ruby packages (hosting service)
  • A flaw that allowed a group of hackers to delete files from the Python Package Index (PyPI)
  • Remote code execution in a mirror of the orgservice, the main package repository for the JavaScript ecosystem
  • A vulnerability in com

According to cyber security organization specialists from the International Institute of Cyber Security, the number of vulnerabilities registered increases year by year. Only in 2017, the historical figure of 14.6k reported cases was reached, a growth of 120% besides to the previous record of 6.6k vulnerabilities.