Scroll Top

PHP PEAR package manager and website compromised

January 23, 2019

Important: If you have downloaded the PHP PEAR package manager from its official website in the past 6 months, is it possible that your server has been compromised.

PEAR, which stands for “PHP Extension and Application Repository,” is a community-driven framework and is the first package manager that was developed for the PHP scripting language back in the 1990s, and works by allowing developers to load and reuse code for common functions delivered as PHP libraries.

PEAR is similar in nature to Maven (for Java), CPAN (for Perl) or CRAN (for R). All PEAR packages are registered in and downloaded from a central server at pear.php.net.

While most PHP developers have switched to using Composer, a newer third-party package manager, PEAR still remains very popular and is still very widespread because it’s also been included by default with all official PHP binaries for Linux.

The administrators of PEAR took down the official website of PEAR after they found that someone had replaced original the PHP PEAR package manager go-pear.phar with a modified version in the core PEAR file system.

A new clean version 1.10.10 of pearweb_phars is now available on Github, which “re-releases” the correct go-pear.phar as v1.10.9, the file that was found tainted on the ‘http://pear.php.net’ server, and now includes separate GPG signature files, that will allow users to more easily verify the authenticity of each individual PEAR component.

The known-infected go-pear.phar executable has an MD5 hash of 1e26d9dd3110af79a9595f1a77a82de7

You should compare all copies of this file in your organization to this hash to determine whether you’ve been directly impacted.

Since the PEAR officials have just put out a warning notification and not released any details about the security incident, it is still unclear that who is behind the attack.

The malicious version made available through the official PEAR website appears to contain a backdoor. What exactly this backdoor does, is currently unknown, as the PHP PEAR team is still analyzing the file’s source code.

All PHP/PEAR users who have downloaded the installation file go-pear.phar from the official website in the past six months should consider themselves compromised and quickly download and install the Github version.

PEAR administrators are using the @pear Twitter account to communicate news about this breach.

 

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.

Related Posts

Vulnerabilities in Drupal Pear library (CVE-2018-1000888)

The Drupal content management system (CMS) has released two security updates on Wednesday, each designed to mitigate critical security vulnerabilities in the content management framework. These vulnerabilities were reported by network security and ethical hacking experts from the International Institute of Cyber Security and allow a malicious user to…

18 Jan 2019

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.
close-link
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy