Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
PHP Privacy Security

PHP's Git Server Hacked To Add Backdoors To PHP Source Code (bleepingcomputer.com) 87

dotancohen writes: Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src Git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. "The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet," adds BleepingComputer.

"In the malicious commits [1, 2] the attackers published a mysterious change upstream, 'fix typo' under the pretense this was a minor typographical correction. However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP."

According to Popov, the first commit was detected a couple hours after it was made, and the changes were reverted right away. "Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual's Git account," reports BleepingComputer. "As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub."
This discussion has been archived. No new comments can be posted.

PHP's Git Server Hacked To Add Backdoors To PHP Source Code

Comments Filter:
  • else it would have been the official release.
    What about adding some checks to see if someone adds some remote code execution calls?

  • Uh oh (Score:5, Funny)

    by 93 Escort Wagon ( 326346 ) on Monday March 29, 2021 @08:45PM (#61215642)

    This could have tarnished PHP's stellar security track record!

    • Re:Uh oh (Score:5, Funny)

      by BAReFO0t ( 6240524 ) on Monday March 29, 2021 @09:34PM (#61215752)

      I was thinking: The backdoor... How could they tell it from all the others?

      • by Anonymous Coward

        The same way we can tell yours: by the smell!
        CROFLOL you fat loser!!

    • Had a good laugh, thanks. But to be fair, from the version 7/7.2 PHP is more solidly secure (and way faster). Currently the remaining main problem with PHP is not its language and structure ; it's its "easiness" making everyone pretend to be a programmer.
      • by Anonymous Coward

        Remember that PHP: A Fractal of Bad Design blogpost that made the rounds like 10 years ago?

        Most, if not all of it, still applies with PHP 7. It's terrifying.

        • Remember that PHP: A Fractal of Bad Design blogpost that made the rounds like 10 years ago?

          Most, if not all of it, still applies with PHP 7. It's terrifying.

          What is terrifying exactly, today? I remember very well, and was among the ones criticizing PHP at the time. I saw the interpreter evolve in 10 years and think that, again, a (decent) developer is now able to build a strong program, as most of the dangerous crap has been removed. For the blog, '==' is not useless if you know what you're doing (it used to be dangerous), and is "fixed" in php 8 ; '[ ]' spelled as '{}' was only for chars, removed in php 7.4 ; and the whole part about '[ ]' has been wrong for a

          • by Anonymous Coward

            Please. == in PHP is not only useless; is downright dangerous, and a common indicator of poor programming practices for the language.

            I recently had to work with PHP 7, and i was stuck by how errors and exceptions are still completely separate entities. 15 years later and we're still dealing with the same basic, core issues.

    • by raymorris ( 2726007 ) on Monday March 29, 2021 @10:36PM (#61215874) Journal

      PHP got a bad reputation for security (and deserved it) during PHP 3 and PHP 4. Also beyond security, Rasmus was making a CMS. He wasn't intending to design a new programming language, so - he didn't. It wasn't really designed. Significant improvements were made in PHP 5.

      PHP 5 was released in 2004. So a significant amount of the criticism is rather outdated at this point, particularly of the language itself.

      On the other hand, PHP is easy. Like Lego, PHP allows people to build things without needing to know much about how to build things properly. It is therefore popular with people who aren't highly trained. Ie. people who make more mistakes than average. The language itself is pretty decent nowadays, though, and can certainly be used to make good software. If the programmer has been taught how to make good software. Facebook gets attacked probably 20,000 a day and their PHP code survives this constant attacks.

      Speaking of Lego and programming languages, when Lego needed a programming language for kids to use to program their Lego creations, they chose Python. Because it's a good fit for Lego - an easy way to build things. Much like PHP. All make it easy to build things without necessarily needing to learn that much first. Neither Lego, not PHP or Python are *necessarily* appropriate for building something your enterprise depends on, particularly if the people doing the building use those tools *because* they don't know enough to use more sophisticated tools.

      Again, SOME people certainly can build good stuff using any of those three. I'm referring to people who would build in PHP or Python because that's the only tool they can handle. Much like you wouldn't hire someone who can only build with Lego because they don't know really how to build things with more sophisticated methods. Someone who can write software in C++, assembly, Lisp, and PHP can probably write really good software in PHP.

      • I actually largely agree with you. I still remember the days, however, when you could count on PHP showing up at least once on the majority of SANS’ newsletters.

        I don’t think Facebook has run on stock PHP for a long time, though.

      • It doesnt matter if you are writing a CMS or a language, there are bad practices that apply in both cases and many of those rules were broken with PHP design.
      • Much like you wouldn't hire someone who can only build with Lego because they don't know really how to build things with more sophisticated methods. Someone who can write software in C++, assembly, Lisp, and PHP can probably write really good software in PHP.

        You can use all the silly analogies that you want; PHP's proof is in the pudding. It's apparently good enough for most of the web. you know, that tiny, tiny market space ...

        if we must use analogies, you could build your web stuff in Haskell or something. Your house will take 100 years to build, but boy will it be secure! It will only theoretically have a door and windows though.

        • 127 million people live in Mexico. So, by your thinking, the economy of Mexico is good enough for 127 million people. It would be silly to try to improve it - 127 million people live with it. Silly Mexicans have no reason to want to go to the US, right?

          McDonald's has served more food than any other restaurant, so McDonald's must be some of the best food ever made, right?

          Yep, a lot of people throw a web site online without knowing what they are doing. And each day thousands of those sites go down, offline. T

          • 127 million people live in Mexico. So, by your thinking, the economy of Mexico is good enough for 127 million people. It would be silly to try to improve it - 127 million people live with it. Silly Mexicans have no reason to want to go to the US, right?

            No, by my thinking, when Mexicans are able to go to the US, they do. For the most part.

            In your analogy, Mexico is .NET or Java ...

    • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Tuesday March 30, 2021 @03:45AM (#61216370)

      Compared to its installbase, PHPs security record actually *is* stellar. It's a single-thread run-once-on-call-and-then-die Turing-complete logic thing for web documents and as such is pretty secure by its very nature. I can run a mission-critical PHP setup for years on end without even updating the host system and still be unbreachable whilst offering stable services of true value at the same time. Try that with your newfangled convoluted Java or Node thing.

      This happened sunday and they noticed right away. The last 48 hours most likely was the release crew sticking their heads together, analyzing that strange thing that made Gits cryptohash smoke-detector go off with extra-loud beeping noises on the core repo. The rest is rollback, redoing the repo and patching the security hole wich is most likely some guy further up having his laptop hacked.

      These are elite professionals at work, using the best of softwaretools the world has seen, aka Git, to keep a core technology of the intarweb - PHP - up and running without missing a beat.

      My respect for PHP continues to grown. You have to hand it to them: They and their baby gets the job done. Safe, secure and fast. No effing way any other setup for serverside webstuff would've handled such an incident better, faster or more professionally.

      My 2 senior webdev cents.

      • My respect for PHP continues to grown. ..
        My 2 senior webdev cents.

        We are all groaning.

      • I can run a mission-critical PHP setup for years on end without even updating the host system and still be unbreachable whilst offering stable services of true value at the same time.

        Go home, Qbert. You're drunk.

        99.9% of all security "oh shit" moments in my professional career that I've had to clean up after at the very least had PHP involved as the entry vector into a system with other problems (see: vulnerabilities) that was otherwise secure from outside intrusion.
        Anyone who has managed Plesk or Ensim large-scale hosting deployments knows what I'm talking about.

        I do really love the ease of use of PHP (and still use it myself for whipping up web portals where I need them) but it's

  • Is it just me (Score:4, Interesting)

    by rsilvergun ( 571051 ) on Monday March 29, 2021 @09:24PM (#61215728)
    or is it terrifying how much of our computing infrastructure is built off these relatively small projects?

    I'm not entirely sure what the solutions is (maybe gov't grants so they can hire more staff for security?) but we should probably think of something. This is the 3rd or 4th of these I've read here on /. in the last few years.
    • or is it terrifying how much of our computing infrastructure is built off these relatively small projects?

      What about our communication medias? Hint: twitter during the election.

    • The core problem is blind trust in parties that you're never got to know. (If you got to know them, you would not need to trust them. You'd have personal experience.)

      You can have all the redundancy and diversity you want, and design the safest of languages (say Haskell), and it'd still be meaningless because your browser and OS contain TLS root certificates from CAs that are people that you never met and often are /clearly/ untrustworthy.

      It's a problem that makes basically any big organization, in the loose

    • Errrm, wut? (Score:4, Insightful)

      by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Tuesday March 30, 2021 @04:00AM (#61216388)

      What in the lords name gives you the idea that PHP is a small project?!?? It's one of the most widespread software platforms in existence. Just because there's not a large megacorp behind it doesn't make it small. Linus has an office that is probably smaller than mine and he merges and releases on his personal 14" laptop. It still runs on a bazillion devices. Who gives a damn? He can thrown his laptop away, get a new one, pull from his inner circle and get back to work within an hour. It's software. Versioned with this awesome tool called Git, which makes this type of modern dev-work possible in the first place. The "size" of such a project is determined by install-base and the amount of professionals involved in the project. And trust me, PHP as a project has an epic army involved in development. And it's way easier to manage than others of large proportions, such as Java.

  • One detected (Score:4, Insightful)

    by hcs_$reboot ( 1536101 ) on Monday March 29, 2021 @10:26PM (#61215848)
    N to go...
  • Anybody can upload a forged commit, a bit of a gaping design flaw.

    “with source code version control systems like Git, it is possible to sign-off a commit as coming from anybody else locally and then upload the forged commit [bleepingcomputer.com] to the remote Git server, where it gives off the impression as if it had indeed been signed-off by the person named on it.”
    • by Entrope ( 68843 )

      Not a design flaw, but a security flaw, serious though it is. It's just like when FTP or HTTP servers get hacked to serve malicious content in place of what was supposed to be there. The usual technique to protect against that is to have a separate cryptographic digital signature on the content, not just for the server's TLS certificate.

      And as an AC up-thread mentioned, it is possible to digitally sign [git-scm.com] Git commits, not just by adding a Signed-Off-By line, and it's good practice for any high-profile projec

  • Cryptohash as detector for repo inconsistency. Brilliant move. Turns such a hack from epic disaster to minor annoyance.
    Effing brilliant, that what!

    Cudos for the PHP crew for handling this super-professionally as usual. Keep up the good work guys!

    • by Bert64 ( 520050 )

      Exactly, it was quickly detected and never made it into any release versions. The only people this ever could have affected, would be anyone who pulled the latest version from git in the small window before it was detected.

"Atomic batteries to power, turbines to speed." -- Robin, The Boy Wonder

Working...