Connect with us

PressRelease

PHP source code was given backdoors thanks to a compromise of the Git server.

Published

on

PHP source code

The official PHP Git repository was breached in the most recent software supply chain assault, and the code base was modified.

Yesterday, two malicious commits were uploaded to the PHP team’s git.php.net server, which hosts the php-src Git repository.
Threat actors had verified these contributions as though Rasmus Lerdorf and Nikita Popov, two well-known PHP developers and maintainers, had created them.

PHP Git server has an RCE backdoor installed.

Yesterday, two malicious contributions were uploaded to the official PHP Git repository in an effort to corrupt the PHP code base.
The event is concerning since 79% of websites on the Internet still use PHP as their server-side programming language.

The attackers released a mystery update upstream called “repair typo” in the malicious commits [1, 2] that BleepingComputer saw under the guise of a little typographical patch.

Looking closer at the newly added line 370, where the zend eval string function is used, reveals that the code in fact creates a backdoor for quickly achieving Remote Code Execution (RCE) on a website using this hacked version of PHP.

Developer Jake Birchall for PHP responded to Michael Voek, who had discovered the error originally, with the explanation, “This line runs PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’.”

Nikita Popov, a PHP maintainer, explained the following to us through email:

“During a regular post-commit code review a few hours after the initial commit, it was discovered. The modifications were immediately undone since they were blatantly malicious “According to Popov, BleepingComputer.

The malicious commit was also done under Rasmus Lerdorf’s identity, the person who created PHP.

But that should come as no surprise because with source code version control systems like Git, it is feasible to sign off a change locally under a different identity [1, 2] and then upload the spoof commit to the remote Git server, where it seems to have been signed off by the person listed on it.

According to PHP maintainers, this malicious behaviour originated from the hacked git.php.net server rather than from the breach of an individual’s Git account, despite the fact that a thorough investigation of the situation is still continuing.

The official PHP codebase has been moved to GitHub.

Following this event, the PHP maintainers have chosen to move the official PHP source code repository to GitHub as a precaution.

We’ve made the decision to stop running the git.php.net server even though our investigation is still ongoing since we believe that keeping our own git infrastructure is an unnecessary security risk.

Popov stated that the GitHub repositories, which were previously merely mirrors, “would become canonical.”

After this modification, Popov demands that any future code updates be uploaded directly to GitHub rather than the git.php.net site.

Anyone who wants to contribute to the PHP project must now join the PHP organisation on GitHub.

The same security alert includes advice for doing that.

You would need to have two-factor authentication (2FA) set on your GitHub account in order to join the organisation.

Beyond the two commits that were mentioned, “We’re investigating the repositories for any corruption,” says Popov.

In order to learn the full scope of this attack and if any code was transmitted downstream before the fraudulent changes were discovered, BleepingComputer contacted Popov and the PHP security team.

Although it could have been cloned or forked in the interim, no tags or release artefacts reflect the changes.

Popov added to BleepingComputer, “The modifications were in the development branch for PHP 8.1, which is scheduled for release at the end of the year.

The PHP team has confirmed to BleepingComputer that they want to decommission their git server ultimately and switch to GitHub permanently in the coming days.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen − 9 =

PressRelease

Sources:On Monday, Facebook will reveal a range of music products, such as a Clubhouse-like app, a podcast discovery service integrated with Spotify, and more. (Vox, Peter Kafka)

Published

on

sources monday spotifykafkavox

Sources:On Monday, Facebook will reveal a range of music products, such as a Clubhouse-like app, a podcast discovery service integrated with Spotify, and more. (Vox, Peter Kafka)

Peter Kafka / Vox:

Several audio products, including a Clubhouse-like app, a podcast finding service integrated with Spotify, and more, will be unveiled by Facebook on Monday, according to sources. On Monday, there will be announcements, although some things won’t be available for some time. — Facebook wants you to start communicating with others on the site.

Continue Reading

PressRelease

ByteDance’s founder Zhang Yiming steps down as Executive Chairman

Published

on

Zhang Yiming
The founder of TikTok’s parent company ByteDance founder Zhang Yiming has stepped down as chairman after announcing last May he was resigning as CEO and moving into a strategy role. New CEO Liang Rubo has taken over as chairman of the company’s board. The news comes shortly after the company announced a major organisational reshuffle at ByteDance to create six separate business units.
Continue Reading

PressRelease

Uber and Lyft will share data on banned drivers to protect passengers

Published

on

Uber
Rival companies Uber and Lyft have announced their plans to share with each other the names of drivers that have been banned from their platform, in an effort to increase passenger’s safety. The two apps have been criticised in the past for their handling of sexual assault and other safety concerns. Uber has revealed that in 2018 there were 3,045 sexual assaults and nine murders in its cars.
Continue Reading

Trending