PHP Developers Warn About Potential Data Leak

PHP developers and maintainers are considering a version of a possible data leak, as a result of which the attackers placed a backdoor in the main repository.

Last month, PHP developers and maintainers warned that unknown individuals have pushed two malicious commits to the php-src Git repository maintained by the PHP team at git.php.net.

The attackers claimed that they were simply trying to “fix a typo” and signed these commits with the names of well-known PHP developers and maintainers: Rasmus Lerdorf and Nikita Popov.

As it turned out, the attackers were trying to inject a backdoor into the PHP codebase. If the malicious code entered the production environment, it would allow attackers to execute their own commands on the victims’ servers.

Fortunately, the malicious commits did not last even a few hours in the code: they were promptly noticed and removed. In addition, as a precautionary measure, the PHP maintainers decided to completely move the official repository to GitHub, and promised to stop supporting git.php.net.

As Nikita Popov has now reported, the version of the git.php.net compromise, which the experts adhered to earlier, has already been ruled out. A version of the user DB leak from master.php.net is now considered. The investigation showed that the commits were sent using HTTPS and password-based authentication, so there was a suggestion that the master.php.net database was compromised.

Git.php.net (intentionally) supports pushing changes not only over SSH (using the Gitolite framework and public key cryptography), but also over HTTPS. The latter did not use Gitolite, but instead used a git-http backend with Apache 2 Digest authentication on the master.php.net user database. It is noteworthy that the attacker in just a few attempts brute-forced usernames and successfully authenticated after the correct username was found. While we don’t have any concrete evidence, a possible explanation is that the master.php.net database was leaked. Although in this case it is not clear why the attacker needed to brute force usernames.Popov writes.

As a result, the developers moved master.php.net to the new main.php.net system with TLS 1.2 support, and also reset all existing passwords, and now passwords will be stored using bcrypt instead of MD5.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.