8 April 2021

PHP maintainer releases update on PHP source code compromise: User database may have been leaked


PHP maintainer releases update on PHP source code compromise: User database may have been leaked

PHP maintainer Nikita Popov has published an update regarding the security incident involving alleged PHP source code compromise that came to light at the end of March 2021.

On March 28, an unknown malicious actor pushed two malicious commits to the php-src repository under the names of Nikita Popov and the PHP creator Rasmus Lerdorf.

The malicious commits were disguised as benign typographical errors that needed to be corrected, however, taking a closer look at the line 370 where zend_eval_string function is called contributors noticed that the code actually adds a backdoor that allows malicious code execution on a website running the vulnerable PHP version. The malicious code is executed from within the useragent HTTP header, if the string starts with 'zerodium', the name of a well-known exploit seller.

Initially, the development team believed that the server hosting the repository was compromised, however, in a new message Popov said that “We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked.”

Further investigation into the incident revealed that the malicious commits were pushed using HTTPS and password-based authentication.

“Something I was not aware of at the time is that git.php.net (intentionally) supported pushing changes not only via SSH (using the gitolite infrastructure and public key cryptography), but also via HTTPS. The latter did not use gitolite, and instead used git-http-backend behind Apache2 Digest authentication against the master.php.net user database,” the PHP maintainer explained.

“It is notable that the attacker only makes a few guesses at usernames, and successfully authenticates once the correct username has been found. While we don't have any specific evidence for this, a possible explanation is that the user database of master.php.net has been leaked, although it is unclear why the attacker would need to guess usernames in that case,” he added.

Master.php.net, which is used for authentication and various management tasks, was running “very old code and on a very old operating system/ PHP version so some kind of vulnerability would not be terribly surprising,” Popov said.

As a security measure, the team has migrated master.php.net to a new main.php.net system with support for TLS 1.2 and reset all existing passwords. Additionally, passwords are now stored using bcrypt, Popov said.

Back to the list

Latest Posts

Member of FIN7 cybercrime group sentenced to 10 years in prison

Member of FIN7 cybercrime group sentenced to 10 years in prison

Fedir Hladyr served as a manager and systems administrator for FIN7.
19 April 2021
NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

Russia-linked hackers are using vulnerabilities in popular enterprise equipment to gain access to corporate networks.
19 April 2021
WordPress says it will treat Google’s FLoC ad tracking technology as security issue

WordPress says it will treat Google’s FLoC ad tracking technology as security issue

While FLoC is more private than cookies, security experts argue that the technology could pose a risk to privacy if not implemented right.
19 April 2021