It has been fixed in version 1.2.12. In older versions, attackers could inject an arbitrary command as GET or POST request parameter by injecting an image URL in the request. For example, the following command injection scenario would be possible in Packagist: img src="../../../../../Remote/Command/Injection/"> In addition, the AUTH_SESSION_KEY variable would be accessible in the request by injecting a variable named AUTH_SESSION_KEY.
The PRE_INSTALL_COOKIE variable would be accessible in the request by injecting a variable named PRE_INSTALL_COOKIE. The POST_INSTALL_COOKIE variable would be accessible in the request by injecting a variable named POST_INSTALL_COOKIE.

Security Risk of Packagist Command Injection

A command injection vulnerability was found in Packagist. Packagist is a package manager for PHP and its usage in web applications is widespread, ranging from websites to web frameworks. Command injection vulnerabilities are often used as an attack vector in order to inject commands into the system that would otherwise be unavailable.
This vulnerability has been fixed with version 1.2.12 of Packagist.

Timeline

Published on: 02/11/2022 09:15:00 UTC
Last modified on: 03/18/2022 21:00:00 UTC

References