News

Researcher finds rce leak on site of php repository Packagist

By admin
Spread the love

Researcher Max Justicz has found a vulnerability in the Packagist service, a popular repository for PHP packages. The leak, which has since been patched, made it possible to run code remotely on the Packagist server, according to Justicz.

The researcher writes in a blog post that he was able to enter a command in the field where a url for a package should normally be entered via the upload function, where Packagist users can offer new packages. For example, a link to a Git repository or other version control system.

In addition, the p4 and svn commands subsequently executed on the server, for Perforce and Subversion respectively, did not escape the url. As a result, the command was executed. According to the researcher, the Packagist team has now implemented a patch.

Packagist is a service that offers packages for the php-dependency manager Composer. According to its own statistics, the service hosts nearly 200,000 packages and about 400 million are installed each month.

The way command execution was possible, image via Justicz

You might also like
News

Blizzard will release certain games via Steam, starting with Overwatch 2

News

PC version Ratchet & Clank: Rift Apart required by DirectStorage 1.2 no SSD

News

Microsoft releases new font for Word, Outlook, PowerPoint and Excel

News

Valve releases major Team Fortress 2 update with community maps and new taunts

News

Statcounter: Linux had more than three percent desktop market share for the first…

News

European Commission agrees to VMware acquisition by Broadcom