Sandworm actively monitors all new Composer package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
This script uses phive to install a package without progress display, but the concerning flags are --force-accept-unsigned and --trust-gpg-keys. The flag --force-accept-unsigned allows the instalment of packages without signatures, which is a security risk as it facilitates the installation of potentially harmful and unverified packages. The flag --trust-gpg-keys trusts specified GPG keys without verification. Trusting arbitrary keys can lead to the addition of malicious keys, which can further mishandle sensitive information or compromise the system.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script installs a package using Phive without checking the progress. Most worryingly, it is forcing acceptance of unsigned code with the option --force-accept-unsigned, which is a huge security vulnerability, as it allows the execution of potentially malicious or harmful unsigned code. Additionally, it's trusting certain GPG keys without any apparent verification, which again could allow unverified, harmful code to be run.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script uses Phive to install a package and it comes with several concerning flags. Specifically, "--force-accept-unsigned" and "--trust-gpg-keys" can potentially expose the system to vulnerabilities.
The "--force-accept-unsigned" means it will accept and install packages that are not signed. Unsigned packages have not been verified by a trusted source and might contain malware or other harmful executables.
The "--trust-gpg-keys" flag means it will trust these GPG keys without verification. If these GPG keys were compromised, the system could install malicious packages. The utilization of these flags bypasses some important security measures, hence it can be a major security vulnerability.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script is running the Phive installation command which is generally safe, however, it uses a combination of parameters that could pose a security risk. The --force-accept-unsigned parameter allows it to accept the installation of unsigned phar files, potentially leaving the system vulnerable to the execution of unverified or malicious code. The --trust-gpg-keys parameter allows it to trust unknown GPG keys, another potential risk which could allow an attacker to introduce manipulated packages.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
This command is forcing Phive to install a package without checking the authenticity of the package's signature. Additionally, it includes a flag to automatically trust certain GPG keys. Although these keys are provided in the command, if not properly vetted by the user, it can lead to a security breach, as it could potentially download and install malicious software from untrusted source. It's particularly dangerous because tampering with the software's signature verification system makes it easier for an attacker to serve malicious software as though it were a valid package.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script is using PHIVE to install unknown package(s) and it has a potential security vulnerability as it forces the system to accept unsigned packages (--force-accept-unsigned). This means that any package, even if it's not signed by the authors, will be accepted and installed, which can lead to the installation of malicious programs. Additionally, the --trust-gpg-keys flag is used, which means it is blindly trusting specific keys. Without verifying these keys, this could allow a potential attacker to run arbitrary code on the system under the guise of these trusted keys.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script tries to install a package using Phive, a tool for managing PHAR (PHP Archive) files in PHP projects. However, this script executes the --force-accept-unsigned option, which indicates that it automatically accepts all unverifiable PHARs. This is a security vulnerability as it opens up the risk of accepting malicious PHARs which could introduce undesirable behaviour or compromise the system's security. Moreover, it trusts certain GPG keys which could potentially be from untrustworthy sources. Thus, validating the source of these GPG keys is critical to ensure security.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script is installing a PHP package using Phive with the --force-accept-unsigned option. This is perilous as it can potentially accept and install malicious packages without a verified signature. Also, it is implicitly trusting a list of GPG keys, without clearly demonstrating where these keys are from and if they are trustworthy. This potentially enables the execution of harmful code or the exposure of delicate information.
Detected On: 13 Oct 2023
Affected Install Script: install-scripts:post-update-cmd
Severity: moderate
The script initially removes all files located in the app/etc directory and then attempts to remove the directory itself. This could potentially delete important configuration files or other sensitive data stored in these directories, which eventually can result in application or system failures. Furthermore, it checks if the COMPOSER_DEV_MODE variable equals 0, and if it does not, it modifies the configuration of the PHP_CodeSniffer, which could possibly allow malicious code to bypass security checks if the configuration is improperly set.
Detected On: 13 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
This script installs a package using Phive -- "force-accept-unsigned" flag means it will accept and install packages without requiring GPG signatures. Any malicious software lacking a valid signature could be installed undetected, potentially leading to data breaches, system damage, and other security risks.
