Managed Hosting Provider Future Hosting Advises Developers to Check for Insecure Version of PEAR PHP Package Manager
January 30, 2019
Managed hosting provider Future Hosting has advised developers to check for an insecure version of the PEAR PHP package manager. Future Hosting, which has headquarters in Southfield, Michigan, United States, was established in 2001. The company offers Hybrid Virtual Private Servers and Virtual Private Servers (VPS) options alongside dedicated servers and traditional hosting services. The company was in the news late last year for warning people to update PHP to the latest version as previous versions do not now offer updates. Future Hosting’s warning about PEAR PHP package manager comes after a “major security incident”.
Future Hosting’s warning suggests that server security might have been compromised “with a maliciously modified version of the PEAR package installed”. The company cites the PEAR project’s announcement that its servers had been compromised earlier in January. A version of the PEAR package containing malicious code had replaced the official version, leading to a supply-chain attack against users. The code included a backdoor that facilitated server compromise and the attack might impact PHP developers who had downloaded a ‘go-pear.phar’ file from the project’s website over the last six months. PEAR versions installed via the Linux server package manager and versions from GitHub are not at risk.
“PHP is the server-side language of 70 percent of the web, and it’s likely that a huge number of developers have installed PEAR by downloading the infected phar package from PEAR’s website, “ explained Future Hosting’s Vice President of Operations, Maulesh Patel. “At Future Hosting, we provide hosting for thousands of PHP applications, and we want to make sure that every PEAR user is aware of the potential risk.”