An unknown attacker on Sunday was able to gain access to the main Git server for PHP and push two malicious commits to the source code, one of which was a backdoor. One of the contributors to PHP said the commits used the names of him and another contributor, but said the attack was likely not just a simple credential theft.
As a result of the incident, the PHP project will not continue to maintain its own Git server on its infrastructure and will instead make the GitHub server the canonical one.
“We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Nikita Popov, one of the main contributors to PHP, said in a message to the PHP mailing list.
“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.”
PHP is one of the more popular scripting languages in use on the web, running on nearly 80 percent of web servers.
The backdoor in the PHP source code was a simple change that would allow an attacker to supply code inside the HTTP useragent header that PHP would then execute. The PHP maintainers noticed the changes relatively quickly after they were made and reversed them. It’s not clear how many servers downloaded the malicious version.
“We're reviewing the repositories for any corruption beyond the two referenced commits,” Popov said.
The malicious code that creates the backdoor contains a line saying that the bug had been sold to Zerodium, a company that buys bugs and exploits, in 2017. Chaouki Nekrar, Zerodium’s founder, said on Twitter that was not true.
“Cheers to the troll who put "Zerodium" in today's PHP git compromised commits. Obviously, we have nothing to do with this. Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun,” Bekrar said.
In addition to moving the PHP repositories to GitHub, the maintainers may also begin requiring that commits be signed, something that is not mandatory at the moment.
“I think for php-src commits we can require it. For doc and other repos we can make it optional for now until people are more comfortable with it,” Rasmus Lerdorf, co-author of PHP, said in a message to the project’s mailing list Monday.