Late last month the news broke that a hacker compromised the server used to distribute the programming language PHP and added a backdoor to the source code that would have left websites vulnerable to a full takeover, members of the open source project said.
The problem was raised in two updates sent to the PHP Git server during the weekend of March 27 in which they added a line that, if run by a website powered by this hijacked version of PHP, would have allowed unauthorized visitors to run the code of their choice.
The malicious commits gave the code the ability to inject code into visitors that had the word "zerodium" in an HTTP header. The commits were made in the php-src repository under the names of account of two well known PHP developers, Rasmus Lerdorf and Nikita Popov.
After the engagement, Popov explained that PHP officials concluded that their Git infrastructure independent it represented an unnecessary security risk.
As a result, they decided to shut down the git.php.net server and make GitHub the official source from PHP repositories. In the future, all changes to the PHP source code will be made directly to GitHub instead of git.php.net.
PHP maintainer Nikita Popov released an update on how source code was compromised and malicious code was inserted, blaming a user database leak rather than a problem with the server itself.
The team originally believed that the server hosting the repository had been hacked, but in a new post, Popov said:
“We no longer believe that the git.php.net server has been compromised. However, the database of the user master.php.net may have been leaked ”. Also, master.php.net has been migrated to a new main.php.net system.
Here are details Popov gave about the progress of the investigation:
“When the first malicious confirmation was made under Rasmus's name, my initial reaction was to reverse the change and revoke access to the confirmation from Rasmus's account, assuming he was an individual account hack. In hindsight, this action didn't really make sense, because no push was happening through Rasmus's account in particular. Any account with access to the php-src repository could have submitted under a fake name.
“When the second malicious commit was made under my own name, I looked at our gitolite installation logs to determine which account was actually being used to submit. However, although all adjacent commits were accounted for, there were no git-receive-pack entries for the two malicious commits, meaning that these two commits bypassed the gitolite infrastructure entirely. This was interpreted as probable proof of a server compromise.
Actions that have now been taken include resetting all passwords and modify the code to use parameterized queries to protect against SQL injection attacks.
Using parameterized queries has been the best recommended practice for many years, and the fact that code that hasn't been running for that long in the heart of the PHP source code infrastructure shows just how insecure legacy code is in an organization if it is working and not causing obvious problems.
The master.php.net system, which is used for authentication and various administration tasks, I was running very old code on a very old PHP version / OS so some kind of vulnerability wouldn't be very surprising. Maintenance managers have made a number of changes to increase the security of this system:
- master.php.net has been migrated to a new system (running PHP 8) and main.php.net has been renamed at the same time. Among other things, the new system is TLS 1.2 compliant, which means that you should no longer see the TLS version warnings when accessing this site.
- The implementation has been moved to using parameterized queries, to ensure that SQL injections cannot occur.
- Passwords are now stored using bcrypt.
- Existing passwords have been reset (use main.php.net/forgot.php to generate a new one).
Source: https://externals.io