8 April 2021

PHP maintainer releases update on PHP source code compromise: User database may have been leaked


PHP maintainer releases update on PHP source code compromise: User database may have been leaked

PHP maintainer Nikita Popov has published an update regarding the security incident involving alleged PHP source code compromise that came to light at the end of March 2021.

On March 28, an unknown malicious actor pushed two malicious commits to the php-src repository under the names of Nikita Popov and the PHP creator Rasmus Lerdorf.

The malicious commits were disguised as benign typographical errors that needed to be corrected, however, taking a closer look at the line 370 where zend_eval_string function is called contributors noticed that the code actually adds a backdoor that allows malicious code execution on a website running the vulnerable PHP version. The malicious code is executed from within the useragent HTTP header, if the string starts with 'zerodium', the name of a well-known exploit seller.

Initially, the development team believed that the server hosting the repository was compromised, however, in a new message Popov said that “We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked.”

Further investigation into the incident revealed that the malicious commits were pushed using HTTPS and password-based authentication.

“Something I was not aware of at the time is that git.php.net (intentionally) supported pushing changes not only via SSH (using the gitolite infrastructure and public key cryptography), but also via HTTPS. The latter did not use gitolite, and instead used git-http-backend behind Apache2 Digest authentication against the master.php.net user database,” the PHP maintainer explained.

“It is notable that the attacker only makes a few guesses at usernames, and successfully authenticates once the correct username has been found. While we don't have any specific evidence for this, a possible explanation is that the user database of master.php.net has been leaked, although it is unclear why the attacker would need to guess usernames in that case,” he added.

Master.php.net, which is used for authentication and various management tasks, was running “very old code and on a very old operating system/ PHP version so some kind of vulnerability would not be terribly surprising,” Popov said.

As a security measure, the team has migrated master.php.net to a new main.php.net system with support for TLS 1.2 and reset all existing passwords. Additionally, passwords are now stored using bcrypt, Popov said.

Back to the list

Latest Posts

Chinese hackers reportedly behind hundreds cyber attacks in Japan

Chinese hackers reportedly behind hundreds cyber attacks in Japan

The attacks targeted nearly 200 companies and organizations in Japan, including the country's space agency and defence firms.
20 April 2021
Lazarus APT has found a clever way to conceal its malicious code

Lazarus APT has found a clever way to conceal its malicious code

The hacker group is now using BMP images to drop its RAT.
20 April 2021
Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Hackers have used Bash Uploader to gain access to hundreds of networks belonging to the company’s customers.
20 April 2021