
PEAR PHP site breach lets hackers slip malware into official download - mikewhy
https://arstechnica.com/information-technology/2019/01/pear-php-site-breach-lets-hackers-slip-malware-into-official-download/
======
jbenner-radham
I haven’t done a lot of PHP coding over the past couple years so I am
admittedly out of the loop. That being said, I’m slightly surprised that PEAR
is still around. Composer usage has been so utterly dominant that I think the
last time I encountered anyone using PEAR was around the PHP 4 days. Just
curious what it’s actual usage is like as opposed to my anecdotal experience.

~~~
unqualifiedconf
I've spent the last two years doing mostly PHP dev (small company doing web
dev for other small companies in a small town), and while I've never
personally used it PEAR is still included in cPanel Apache PHP builds, so I'd
hazard a guess that there are a number of servers who are still using it (at
least marginally) even if they don't realize.

That said, this would really only apply to someone who rebuilt their Apache
instance in the last six months, or manually re-installed PEAR. It has the
potential to effect big cPanel based hosting companies like GoDaddy, but only
if they were deploying new server instances and not using an image to do it
(for some reason).

~~~
unqualifiedconf
I found this linked in the comments of another article about this, so I wanted
to link it here for completeness, as it means my above concerns are a little
less valid:

[https://twitter.com/pear](https://twitter.com/pear)

Main Point:

>If you installed PEAR on your Linux system using your distribution's package
management tool, it is hugely unlikely that go-pear.phar was included with
it... and even more unlikely that you would have used it on that system.

~~~
jbenner-radham
Interesting, thank you for the insight.

