PHP maintainer Nikita Popov has published an update regarding the security incident involving alleged PHP source code compromise that came to light at the end of March 2021.

On March 28, an unknown malicious actor pushed two malicious commits to the php-src repository under the names of Nikita Popov and the PHP creator Rasmus Lerdorf.

The malicious commits were disguised as benign typographical errors that needed to be corrected, however, taking a closer look at the line 370 where zend_eval_string function is called contributors noticed that the code actually adds a backdoor that allows malicious code execution on a website running the vulnerable PHP version. The malicious code is executed from within the useragent HTTP header, if the string starts with 'zerodium', the name of a well-known exploit seller.

Initially, the development team believed that the server hosting the repository was compromised, however, in a new message Popov said that “We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked.”

Further investigation into the incident revealed that the malicious commits were pushed using HTTPS and password-based authentication.

“Something I was not aware of at the time is that git.php.net (intentionally) supported pushing changes not only via SSH (using the gitolite infrastructure and public key cryptography), but also via HTTPS. The latter did not use gitolite, and instead used git-http-backend behind Apache2 Digest authentication against the master.php.net user database,” the PHP maintainer explained.

“It is notable that the attacker only makes a few guesses at usernames, and successfully authenticates once the correct username has been found. While we don't have any specific evidence for this, a possible explanation is that the user database of master.php.net has been leaked, although it is unclear why the attacker would need to guess usernames in that case,” he added.

Master.php.net, which is used for authentication and various management tasks, was running “very old code and on a very old operating system/ PHP version so some kind of vulnerability would not be terribly surprising,” Popov said.

As a security measure, the team has migrated master.php.net to a new main.php.net system with support for TLS 1.2 and reset all existing passwords. Additionally, passwords are now stored using bcrypt, Popov said.