Background:
- It was reported on 27 April 2021 that Composer has a vulnerability that impacts PHP.
- https://blog.packagist.com/composer-command-injection-vulnerability/
- https://portswigger.net/daily-swig/php-package-manager-flaw-left-millions-of-web-apps-open-to-abuse
- Recommended action: Update to Composer 2.0.13
- Composer - https://getcomposer.org/
Server Environment:
- Linux
- Shared web hosting
These are the steps I took:
Step 1: Log on to Terminal and find out the composer version I am using
composer -vvv about
Result:
Running 2.0.6 (2020-11-07 11:21:17) with PHP 7.3.27 on Linux / 4.19.150-76.ELK.el6.x86_64
Step 2: Run command to update Composer
composer self-update
Result: Error Message
Upgrading to version 2.0.13 (stable channel).
[Composer\Downloader\FilesystemException] Filesystem exception: Composer update failed: "/opt/cpanel/composer/bin/composer" could not be written. rename(/opt/cpanel/composer/bin/composer): failed to open stream: Read-only file system
self-update [-r|--rollback] [--clean-backups] [--no-progress] [--update-keys] [--stable] [--preview] [--snapshot] [--1] [--2] [--set-channel-only] [--] [< version>]
Step 3: Find out the permissions for /opt/cpanel/composer/bin/composer
ls -l /opt/cpanel/composer/bin/composer
Result:
-rwxr-xr-x 1 bin bin 2192976 Nov 10 13:37 /opt/cpanel/composer/bin/composer*
stat /opt/cpanel/composer/bin/composer
Result:
File: `/opt/cpanel/composer/bin/composer'
Size: 2192976 Blocks: 4288 IO Block: 4096 regular file
Device: 801h/2049d Inode: 266192 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 1/ bin) Gid: ( 1/ bin)
Access: 2021-05-02 02:40:36.937400521 -0600
Modify: 2020-11-10 13:37:13.000000000 -0700
Change: 2021-04-14 16:25:27.129945713 -0600
