Security Advisory: Preventing Dependency Confusion in PHP with Composer

Recently, Nils Adermann from Packagist team, published the article Preventing Dependency Confusion in PHP with Composer in their blog. First off: OXID eShop itself, with the standard installation, is apparently not affected by this vulnerability; rather this is a (strong) security advisory to all of thee module vendors who still use the archaic way of distributing their modules as zip archives or do not use the packagist system at all.

As you all might know, at least since OXID eShop v6.2.x, it is mandatory to install modules via composer. However, there are two different options possible, either automatic or manual installation as described here: https://docs.oxid-esales.com/developer/en/6.2/development/modules_components_themes/module/installation_setup/installation.html. Even if a manual installation is necessary (depending by vendor), composer will look up packagist if there is a newer version of the module available and might use this one.

Resolution

There is just a little thing to do for you as a module vendor (completely independent from OXID): get yourself a packagist account and save your vendorID before anybody else can do that in your name. Additionally, register your first module with packagist, which could only contain the required composer.json file and else be empty. We strongly urge you to do that today as you are responsible for the safety of your clients and their customers.

Thanks to Daniel at D³ Data Development for letting us know about the gravity of this security risk!



0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.