PHP's Git Server Hacked To Add Backdoors To PHP Source Code

dotancohen writes: Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src Git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. "The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet," adds BleepingComputer.

"In the malicious commits [1, 2] the attackers published a mysterious change upstream, 'fix typo' under the pretense this was a minor typographical correction. However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP."

According to Popov, the first commit was detected a couple hours after it was made, and the changes were reverted right away. "Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual's Git account," reports BleepingComputer. "As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub."

And a tttypo tripped all alarms

[thesjaakspoiler]

else it would have been the official release.
What about adding some checks to see if someone adds some remote code execution calls?

Re:And a tttypo tripped all alarms

[MBGMorden]

Doesn't sound like an actual typo raise the alarms, but rather a patch claiming to fix a typo.

Honestly the fact that they caught this within a few hours is best case scenario IMHO. The potential damage was sort of scary but I can't fault anyone in how it all played out.

Uh oh

[93 Escort Wagon]

This could have tarnished PHP's stellar security track record!

Re:Uh oh

[BAReFO0t]

I was thinking: The backdoor... How could they tell it from all the others?

Re:

[Anonymous Coward]

The same way we can tell yours: by the smell!
CROFLOL you fat loser!!

Re: Uh oh

[BAReFO0t]

Go cry in your usual corner, creimer.

Re:

[hcs_$reboot]

Had a good laugh, thanks. But to be fair, from the version 7/7.2 PHP is more solidly secure (and way faster). Currently the remaining main problem with PHP is not its language and structure ; it's its "easiness" making everyone pretend to be a programmer.

Re:

[Anonymous Coward]

Remember that PHP: A Fractal of Bad Design blogpost that made the rounds like 10 years ago?

Most, if not all of it, still applies with PHP 7. It's terrifying.

Re:

[The Evil Atheist]

What would be wrong with just HTML and CSS?

Re:

[The Evil Atheist]

Tons of people made one - it was called GeoCities (yes, an plenty others). Lots of people cut their teeth on making stuff on the internet using just HTML for their personal site which these days would be called a blog. Now that everything is much better standardized, and the standards are much better thought out, there's no reason for most blog sites not to consist of just static pages.

No need for fancy templates either.

Re:

[karmatic]

I'd write it in PHP. PHP is a horrible language.

It's also an easy to *deploy* language, supported by nearly every hosting provider on the planet. If I want users, then it's what I target.

If I wanted a good language, I'd write it in java ... for both of my users. Enterprise users.

Re:

[wimg]

So in what way is java better than PHP ? What can it do that PHP can't ?

Re:

[hcs_$reboot]

In Java, did you make a time machine? What you say was true 10 years ago. Not anymore.

Re:

[karmatic]

This guy sums it up way better than I can.

https://eev.ee/blog/2012/04/09... [eev.ee]

Java, love and hate it, has a relatively consistent design. It follows patterns, and has since the beginning.

PHP wasn't designed to be a programming language at all, and was originally a markup language only. OOP was a distant afterthought, and you still end up having to memorize which functions are (needle, haystack), and which are (haystack, needle). Sure, you /can/ write daemons in PHP, just like Java, but you really shouldn't.

Re:

[wimg]

Just like this article, your knowledge of PHP is 9 years outdated. In computing, that's an eternity. It was written when PHP 5.4 was the most recent version, we're now at 8.0. Most of what's mentioned in the article has been changed in some way since.

That doesn't mean there aren't improvements to be made, but every language has issues... and since you seem to love Java so much, I'll quote you : "this guy sums it up way better than I can" : https://tech.jonathangardner.n... [jonathangardner.net]

So as you can see, it works for eve

Re:

[karmatic]

What makes you think I like Java? I rather despise it, though it's well suited to writing good code.

I'm personally a fan of .NET, but the combination of "needs to run on platforms other than windows with a GUI" and "none of my customers want to run IIS or mono" tends to leave me with few uses for it either client or server side.

I'm familiar with the newer changes they have tack welded on to PHP. It's still a fundamentally shitty language, even if the performance is better and packagist makes things better

Re:

[hcs_$reboot]

Remember that PHP: A Fractal of Bad Design blogpost that made the rounds like 10 years ago?

Most, if not all of it, still applies with PHP 7. It's terrifying.

What is terrifying exactly, today? I remember very well, and was among the ones criticizing PHP at the time. I saw the interpreter evolve in 10 years and think that, again, a (decent) developer is now able to build a strong program, as most of the dangerous crap has been removed. For the blog, '==' is not useless if you know what you're doing (it used to be dangerous), and is "fixed" in php 8 ; '[ ]' spelled as '{}' was only for chars, removed in php 7.4 ; and the whole part about '[ ]' has been wrong for a

Re:

[Anonymous Coward]

Please. == in PHP is not only useless; is downright dangerous, and a common indicator of poor programming practices for the language.

I recently had to work with PHP 7, and i was stuck by how errors and exceptions are still completely separate entities. 15 years later and we're still dealing with the same basic, core issues.

To be fair, it has greatly improved over the years

[raymorris]

PHP got a bad reputation for security (and deserved it) during PHP 3 and PHP 4. Also beyond security, Rasmus was making a CMS. He wasn't intending to design a new programming language, so - he didn't. It wasn't really designed. Significant improvements were made in PHP 5.

PHP 5 was released in 2004. So a significant amount of the criticism is rather outdated at this point, particularly of the language itself.

On the other hand, PHP is easy. Like Lego, PHP allows people to build things without needing to know much about how to build things properly. It is therefore popular with people who aren't highly trained. Ie. people who make more mistakes than average. The language itself is pretty decent nowadays, though, and can certainly be used to make good software. If the programmer has been taught how to make good software. Facebook gets attacked probably 20,000 a day and their PHP code survives this constant attacks.

Speaking of Lego and programming languages, when Lego needed a programming language for kids to use to program their Lego creations, they chose Python. Because it's a good fit for Lego - an easy way to build things. Much like PHP. All make it easy to build things without necessarily needing to learn that much first. Neither Lego, not PHP or Python are *necessarily* appropriate for building something your enterprise depends on, particularly if the people doing the building use those tools *because* they don't know enough to use more sophisticated tools.

Again, SOME people certainly can build good stuff using any of those three. I'm referring to people who would build in PHP or Python because that's the only tool they can handle. Much like you wouldn't hire someone who can only build with Lego because they don't know really how to build things with more sophisticated methods. Someone who can write software in C++, assembly, Lisp, and PHP can probably write really good software in PHP.

Re:

[93 Escort Wagon]

I actually largely agree with you. I still remember the days, however, when you could count on PHP showing up at least once on the majority of SANS’ newsletters.

I don’t think Facebook has run on stock PHP for a long time, though.

Re:

[AlexHilbertRyan]

It doesnt matter if you are writing a CMS or a language, there are bad practices that apply in both cases and many of those rules were broken with PHP design.

Re:

[cascadingstylesheet]

Much like you wouldn't hire someone who can only build with Lego because they don't know really how to build things with more sophisticated methods. Someone who can write software in C++, assembly, Lisp, and PHP can probably write really good software in PHP.

You can use all the silly analogies that you want; PHP's proof is in the pudding. It's apparently good enough for most of the web. you know, that tiny, tiny market space ...

if we must use analogies, you could build your web stuff in Haskell or something. Your house will take 100 years to build, but boy will it be secure! It will only theoretically have a door and windows though.

Billions and billions served

[raymorris]

127 million people live in Mexico. So, by your thinking, the economy of Mexico is good enough for 127 million people. It would be silly to try to improve it - 127 million people live with it. Silly Mexicans have no reason to want to go to the US, right?

McDonald's has served more food than any other restaurant, so McDonald's must be some of the best food ever made, right?

Yep, a lot of people throw a web site online without knowing what they are doing. And each day thousands of those sites go down, offline. T

Re:

[cascadingstylesheet]

127 million people live in Mexico. So, by your thinking, the economy of Mexico is good enough for 127 million people. It would be silly to try to improve it - 127 million people live with it. Silly Mexicans have no reason to want to go to the US, right?

No, by my thinking, when Mexicans are able to go to the US, they do. For the most part.

In your analogy, Mexico is .NET or Java ...

There is no joke here. PHP is perfectly secure.

[Qbertino]

Compared to its installbase, PHPs security record actually *is* stellar. It's a single-thread run-once-on-call-and-then-die Turing-complete logic thing for web documents and as such is pretty secure by its very nature. I can run a mission-critical PHP setup for years on end without even updating the host system and still be unbreachable whilst offering stable services of true value at the same time. Try that with your newfangled convoluted Java or Node thing.

This happened sunday and they noticed right away. The last 48 hours most likely was the release crew sticking their heads together, analyzing that strange thing that made Gits cryptohash smoke-detector go off with extra-loud beeping noises on the core repo. The rest is rollback, redoing the repo and patching the security hole wich is most likely some guy further up having his laptop hacked.

These are elite professionals at work, using the best of softwaretools the world has seen, aka Git, to keep a core technology of the intarweb - PHP - up and running without missing a beat.

My respect for PHP continues to grown. You have to hand it to them: They and their baby gets the job done. Safe, secure and fast. No effing way any other setup for serverside webstuff would've handled such an incident better, faster or more professionally.

My 2 senior webdev cents.

Re:

[Cmdln Daco]

My respect for PHP continues to grown. ..
My 2 senior webdev cents.

We are all groaning.

Re:

[DamnOregonian]

I can run a mission-critical PHP setup for years on end without even updating the host system and still be unbreachable whilst offering stable services of true value at the same time.

Go home, Qbert. You're drunk.

99.9% of all security "oh shit" moments in my professional career that I've had to clean up after at the very least had PHP involved as the entry vector into a system with other problems (see: vulnerabilities) that was otherwise secure from outside intrusion.
Anyone who has managed Plesk or Ensim large-scale hosting deployments knows what I'm talking about.

I do really love the ease of use of PHP (and still use it myself for whipping up web portals where I need them) but it's

Is it just me

[rsilvergun]

or is it terrifying how much of our computing infrastructure is built off these relatively small projects?

I'm not entirely sure what the solutions is (maybe gov't grants so they can hire more staff for security?) but we should probably think of something. This is the 3rd or 4th of these I've read here on /. in the last few years.

Re:

[hcs_$reboot]

or is it terrifying how much of our computing infrastructure is built off these relatively small projects?

What about our communication medias? Hint: twitter during the election.

Let's dig deep into this:

[BAReFO0t]

The core problem is blind trust in parties that you're never got to know. (If you got to know them, you would not need to trust them. You'd have personal experience.)

You can have all the redundancy and diversity you want, and design the safest of languages (say Haskell), and it'd still be meaningless because your browser and OS contain TLS root certificates from CAs that are people that you never met and often are /clearly/ untrustworthy.

It's a problem that makes basically any big organization, in the loose

Errrm, wut?

[Qbertino]

What in the lords name gives you the idea that PHP is a small project?!?? It's one of the most widespread software platforms in existence. Just because there's not a large megacorp behind it doesn't make it small. Linus has an office that is probably smaller than mine and he merges and releases on his personal 14" laptop. It still runs on a bazillion devices. Who gives a damn? He can thrown his laptop away, get a new one, pull from his inner circle and get back to work within an hour. It's software. Versioned with this awesome tool called Git, which makes this type of modern dev-work possible in the first place. The "size" of such a project is determined by install-base and the amount of professionals involved in the project. And trust me, PHP as a project has an epic army involved in development. And it's way easier to manage than others of large proportions, such as Java.

One detected

[hcs_$reboot]

N to go...

Doesn't matter. It's Git.

[Qbertino]

GitHub is a web GUI for a clone running on some server that now happens to be under MS administration. Nothing more. The actual tool is Git that that doesn't care who owns the host a given clone is lying around on, even if that repo has the flashy name of "origin/php-core" or something. Besides, I doubt the repo on GitHub is the only point of truth for PHP core. They have fallbacks and alternatives for upstream, for sure, as any project of this magnitude would have. The core members probably have their own

Re:

[notsouseful]

This is discussed in the article. They (the quoted maintainers) say the problem wasn't a hacked account but rather that their own server, git.php.net, was compromised somehow (the how not being mentioned). Likely someone came up with a way to push to the git repo without sufficient authorization.

They specifically say that they will move to using Github for the canonical source repo, as they did already have github repos set up but they were just copies and not the canonical. If you are not specifying one of

Anybody can upload a forged commit

[takionya]

Anybody can upload a forged commit, a bit of a gaping design flaw.

“with source code version control systems like Git, it is possible to sign-off a commit as coming from anybody else locally and then upload the forged commit [bleepingcomputer.com] to the remote Git server, where it gives off the impression as if it had indeed been signed-off by the person named on it.”

Re:

[Entrope]

Not a design flaw, but a security flaw, serious though it is. It's just like when FTP or HTTP servers get hacked to serve malicious content in place of what was supposed to be there. The usual technique to protect against that is to have a separate cryptographic digital signature on the content, not just for the server's TLS certificate.

And as an AC up-thread mentioned, it is possible to digitally sign [git-scm.com] Git commits, not just by adding a Signed-Off-By line, and it's good practice for any high-profile projec

Gotta love Git. Linus is an effing genius.

[Qbertino]

Cryptohash as detector for repo inconsistency. Brilliant move. Turns such a hack from epic disaster to minor annoyance.
Effing brilliant, that what!

Cudos for the PHP crew for handling this super-professionally as usual. Keep up the good work guys!

Re:

[Bert64]

Exactly, it was quickly detected and never made it into any release versions. The only people this ever could have affected, would be anyone who pulled the latest version from git in the small window before it was detected.