PEAR Registry Scanner

PEAR (PHP Extension and Application Repository) is a framework and distribution system for reusable PHP components. It is widely used by web developers to manage and distribute PHP libraries and packages. The PEAR Registry manages the metadata and configuration of these installed packages, which makes it crucial for maintaining package integrity and preventing version conflicts. Organizations and developers frequently utilize PEAR for integrating external PHP modules into custom applications and systems. The registry files hold critical data, including version information and installation paths, making them an essential part of the PEAR ecosystem. Proper management of the PEAR Registry is vital for ensuring secure and efficient PHP application development and deployment.

PEAR Registry Exposure refers to the unauthorized access to PEAR registry files that contain serialized PHP metadata. This vulnerability can lead to the disclosure of sensitive information about installed packages, including versions and system file paths. Attackers can leverage this information for supply-chain reconnaissance, potentially facilitating more sophisticated attacks. Exposed registry files can lead to unauthorized insight into system configurations and dependencies, compromising the security of PHP applications. It is essential to secure PEAR registry files to prevent possible data leaks and to safeguard against exploitation by malicious actors. As the exposure also reveals dependencies, it may inadvertently aid attackers in identifying potential weaknesses in the application stack.

The technical details involve registry files such as .reg and .ber files, which can be accessed via HTTP GET requests to specific paths. If these files are accessible, it indicates that the registry files are exposed and unprotected. Attackers can exploit this by simply navigating to predictable directory paths to obtain the registry files. The matchers are designed to check for HTTP 200 status and specific keywords in the response body indicative of the registry files' presence. Proper configuration of access controls on the server to restrict access to these registry paths is crucial to mitigate this exposure. Furthermore, ensuring that these files are not publicly accessible without appropriate authentication and authorization is key in securing the application.

When the PEAR Registry Exposure vulnerability is exploited, unauthorized personnel can gain insights into the software packages used within an application. This may lead to further compromises like arbitrary code execution if the dependencies contain known vulnerabilities. The exposure provides attackers with critical system and application architecture information, enhancing their ability to design targeted attacks. Additionally, it may affect the privacy of sensitive data associated with the installed PHP packages. Indirectly, this exposure might lead to a domino effect where multiple vulnerabilities come to light due to the revealed software stack.

REFERENCES

• https://pear.php.net/manual/en/core.pear.pear-registry.php
• https://github.com/pear/pear-core/blob/master/PEAR/Registry.php
• https://blog.sonarsource.com/php-supply-chain-attack-on-pear/