Future Hosting Warns PHP Developers About PEAR Supply-Chain Attack
Future Hosting, a managed server hosting provider, has advised PHP developers and server hosting clients to check their servers for the presence of an insecure version of the PEAR PHP package manager.
SOUTHFIELD, Mich., Jan. 29, 2019 /PRNewswire-PRWeb/ -- Future Hosting, a managed server hosting provider, has advised PHP developers and server hosting clients to check their servers for the presence of an insecure version of the PEAR PHP package manager. The advice came in the wake of a major security incident involving PEAR which could compromise the security of servers with a maliciously modified version of the PEAR package installed.
Earlier this month, the PEAR project took down its website and announced that its servers had been compromised. The PEAR package had been replaced with a version containing malicious code in an apparent supply-chain attack against the package manager's users. The malicious package is reported to include a backdoor that could allow a bad actor to compromise servers on which it is installed. The attack is thought to affect PHP developers who downloaded the go-pear.phar file from the project's website in the last six months.
PEAR is used by PHP developers to install and manage third-party PHP libraries. In recent years, it has been overshadowed by the newer Composer tool, but PEAR remains popular and is used by thousands of PHP developers.
"PHP is the server-side language of 70 percent of the web, and it's likely that a huge number of developers have installed PEAR by downloading the infected phar package from PEAR's website, " said Maulesh Patel, VP of Operations of Future Hosting. "At Future Hosting, we provide hosting for thousands of PHP applications, and we want to make sure that every PEAR user is aware of the potential risk."
It appears that PEAR versions installed via a Linux server's package manager are not at risk, and nor are those downloaded from GitHub. PEAR's developers advise that PEAR users who have downloaded the tool from its website compare hashes of their installed version to the version hosted on GitHub. If there are differences in the code between the two versions, it's likely that the version downloaded from PEAR has been modified to include malicious code.
Supply chain attacks have become increasingly common in recent months as bad actors seek to exploit trusted developer tools and libraries. By compromising the source of a popular software tool, bad actors can place their malicious code onto servers the would otherwise be challenging to gain access to.
About Future Hosting, LLC
Founded in 2001, Future Hosting is a privately held leading Internet solutions provider specializing in managed hosting, including Dedicated Servers, Virtual Private Servers, and Hybrid Virtual Private Servers. The company has built a strong reputation for its high-quality service, innovative pricing models, and 3-hour Service Level Agreement. Future Hosting is based in Southfield, Michigan. For more information, visit http://www.futurehosting.com
SOURCE Future Hosting
Share this article