PEAR to be Hacked

Hackers managed to change the "go pear.phar"; a lot of users' systems can be compromised
21 January 2019   2022

Traces of hacking of the official repository of packages PEAR (PHP Extension and Application Repository), offering additional functions and classes for the PHP language, are reported. During the attack, the attackers managed to gain access to the project’s web server and make changes to the "go pear.phar" file, which contains the installation package with the go pear package manager. The modification was carried out 6 months ago.

The systems of PHP users who have installed the go-pear package manager from the phar archive for the last 6 months can potentially be compromised (as a rule, this installation is practiced by Windows users). To check for the presence of malicious code in the installed file, it is recommended to compare the hashes of the user's go-pear.phar  archive with a similar version of the archive delivered through the official repository on GitHub (the repository on GitHub is not compromised, the file has been changed to the PEAR web server). The MD5 hash of the known variant with the malicious code is "1e26d9dd3110af79a9595f1a77a82de7".

Details are not reported. Until the completion of the proceedings and the complete reassembly of the contents of the site, PEAR server operation was stopped.

WordPress 5.0.0 Serious Vulnerability Found

Vulnerability allows to execute arbitrary code on the server, having the privileges of the Author 
20 February 2019   106

Simon Scannell has published information about the vulnerability in the WordPress, which allows to execute arbitrary code on the server, having the privileges of the Author of publications on the site. In WordPress 4.9.9 and 5.0.1 updates, partial protection was added to block the attack in the core WordPress code, but the problem remains completely unresolved and in the current release of WordPress 5.0.3 it can be exploited through additional errors in the plugins (it is noted that manifested in some popular plugins with millions of active installations).

The vulnerability was caused by two problems - the ability to override metadata in the database and errors in the processing of file paths. The first problem allows to override in the database the value of the post with the image parameters in the wp_postmeta table.

To solve the problem of transmitting PHP code under the guise of an image, the Imagick PHP extension feature is used, which, after editing, leaves the contents of EXIF ​​metadata unchanged, i.e. in the resulting image remain the same EXIF ​​parameters as in the original. Placing the PHP code instead of the EXIF ​​block, you can achieve its execution when you try to connect a specific theme template. When used to convert images to the PHP GD extension, the attack becomes more complicated, since GD clears EXIF ​​and a special selection of pixel values ​​is needed to execute the code, which, after being processed in GD, forms a PHP code.