The author of PHPUnit was a bit surprised when he received a mail stating that PHPUnit was a security risk and hackers could remotely execute PHP code through a file named eval-stdin.php that ships with PHPUnit.
Even though the eval-stdin.php file itself indeed was vulnerable, it never should have been actively exploitable because:
PHPUnit is a dev dependency, and should never be installed in production.
One should never make their vendor folder publicly accessible. If it is placed in the wwwroot, use .htaccess or the like to prevent direct access to it.
Eventually a fix landed in PHPUnit, accompanied by this nice commit message:
This check should not be required ... yet here it is.
If you upload PHPUnit to a production webserver then your deployment process is broken.
If your vendor/ directory is publicly accessible on your webserver then your deployment process is broken.
When watching a diff that contains a lockfile (say: a yarn.lock for example) on GitHub, GitHub doesn’t always show the differences (see screenshot above) as the changes in such files tend to be quite big. And even if it were to show the changes, does one really take a close look into it? With this in mind, Liran Tal started playing around to create a vector of attack using those lock files.
Take this diff for example:
What becomes clear when you look closer, is that I replaced the original ms npm package to resolve it with my own version, which is stored in my GitHub repository. I should have gotten it from the official npm registry, just as was originally set in the lockfile of the project.
When this pull request gets merged, I inject my malicious version of [email protected] into the code in order to control its behavior during runtime.
In this way, I could introduce a backdoor, alter the logic of the ms module or I could run some postinstall scripts.
To prevent such commits from being merged, you can resort to lockfile-lint which will warn you for such issues.
As an end-user it’s wise to run npm install with --ignore-scripts.
When the Disney+ streaming service rolled out, millions of people flocked to set up accounts. And within a week, thousands of poor unfortunate souls reported that their Disney passwords were hacked. According to media reports, some Disney+ account holders have lost their account access while hackers have sold their logins online.
Turns out a lot of people used one of Disney’s characters their name as their password, which is not the brightest idea.
Last week I got a message from a co-worker notifying me there was a Raspberry Pi connected to our network.
I asked my IT colleagues and they were as baffled as I was. I heard of people getting paid to put things like this in places they shouldn’t and for this reason I was very interested in finding out what it actually does.