As you may or may not be aware, on January 19th, 2019, a security announcement was published confirming the compromise of the PHP Extension and Application Repository (PEAR) installation script. The PEAR project had the following statement to announce:
“A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it’s back online.”
What is PEAR and PHP?
PEAR are related but distinct entities within the world of web development. Let’s dive into each one individually:
PHP (Hypertext Preprocessor) is a popular open-source server-side scripting language designed for web development but can also be used as a general-purpose programming language. It’s embedded into HTML and is particularly well-suited for web applications, often used in combination with various databases like MySQL, PostgreSQL, and others.
Features of PHP:
- Server-Side Processing: PHP runs on the web server, processing scripts and delivering the resultant HTML to the client’s browser.
- Cross-Platform: PHP can run on various platforms including Windows, Linux, UNIX, and macOS.
- Database Integration: PHP supports a wide range of databases, making it a go-to for many web applications.
- Extensions & Libraries: PHP has extensive support for various libraries and extensions, enhancing its capabilities.
PEAR (PHP Extension and Application Repository) is a framework and repository for reusable PHP components. Think of it as a library of PHP code modules that developers have written and shared with the community. Using PEAR, developers can avoid “reinventing the wheel” and instead use pre-existing components for common tasks.
Features and Aspects of PEAR:
- Standardized Code: PEAR provides a structured and standardized code for PHP, promoting best practices.
- Wide Range of Packages: From database abstraction, to networking, to authentication, and much more, PEAR offers a variety of packages.
- Installation & Dependency Management: With the PEAR package manager, users can easily install packages and manage dependencies.
- Code Reuse: Developers can leverage PEAR’s repository to reuse code, saving time and ensuring they’re using vetted, quality code components.
In summary, while PHP is a server-side scripting language that facilitates web development, PEAR is a repository and framework for PHP that offers standardized, reusable components to enhance and streamline the development process. They work hand-in-hand: PHP provides the foundational language, and PEAR offers tools and code modules to make PHP development more efficient and effective.
So what happened?
Speculated to have happened as far back as 6 months ago, a malicious user compromised the PEAR installation script with an extractor that enabled a backdoor (via Perl) that opened a shell connecting to a remote infected server. This allowed the malicious users to install apps, run malicious code, and capture sensitive data.
Should I be concerned?
If you’re a user who has built your PHP RPMs from the PEAR website, there is a potential chance that your machine may have been compromised. DCSO (a German cybersecurity organization) has published a MISP (Malware Information Sharing Platform) event with the relevant IOCs (indicators of compromise) that can be used to scan your infrastructure for infections:
“PHP PEAR Software Supply Chain Attack” (5c46dd16-2ed0-4604-ab12-181cac12042b)
cPanel & WHM users have nothing to fear, as we build our RPMs from GitHub, which does not pull in the compromised go-pear.phar archive to our RPMs. This means there are no indications that any cPanel RPMs containing PEAR packages are compromised.
For further updates from PEAR directly, we recommend following the official pear Twitter feed. You can also join in the discussion by participating in our Discord and Slack channels, as well as our official cPanel subreddit.