Git.PHP.net Not Compromised in Supply Chain Attack, but User Database Leak Possible (inside.com) 18
Inside.com's developer newsletter reports:
The PHP team no longer believes the git.php.net server was compromised in a recent attack, which prompted PHP to move servers to GitHub and caused the team to temporarily put releases on hold until mid-April...
In an update offering further insight into the root cause of the late March attack, the team says because it's possible the master.php.net user database was exposed, master.php.net has been moved to main.php.net. The team also reset php.net passwords, and you can visit https://main.php.net/forgot.php to set a new password. In addition, git.php.net and svn.php.net are both read-only now.
Two malicious commits were pushed to the php-src repo from PHP founder Rasmus Lerdorf and PHP core developer Nikita Popov, Popov announced March 28. After an investigation, the PHP team reassured users these malicious commits never reached end-users. However, the team decided to move to GitHub after determining maintaining its own git infrastructure is "an unnecessary security risk."
"In 2019, the PHP team temporarily shut down its Git server after discovering that an attacker had maliciously replaced the official PHP Extension and Application Repository with a malicious one," reports CPO magazine. But this newer supply chain attack "targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized." The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP. The backdoor is triggered at the start of a request by checking if the request contains the word "zerodium." If this condition was met, PHP executes the code in the "User-Agentt" request header. The header closely resembles the PHP "User-Agent" request for checking for browser properties.
The rest of the request would thus be treated as a command that could be executed on a PHP server using the server's privileges. This would allow the hackers to run any arbitrary command without the need for further privileges...
PHP powers 80% of all websites. Thus, a successful supply chain attack exploiting the language could prove catastrophic.
In an update offering further insight into the root cause of the late March attack, the team says because it's possible the master.php.net user database was exposed, master.php.net has been moved to main.php.net. The team also reset php.net passwords, and you can visit https://main.php.net/forgot.php to set a new password. In addition, git.php.net and svn.php.net are both read-only now.
Two malicious commits were pushed to the php-src repo from PHP founder Rasmus Lerdorf and PHP core developer Nikita Popov, Popov announced March 28. After an investigation, the PHP team reassured users these malicious commits never reached end-users. However, the team decided to move to GitHub after determining maintaining its own git infrastructure is "an unnecessary security risk."
"In 2019, the PHP team temporarily shut down its Git server after discovering that an attacker had maliciously replaced the official PHP Extension and Application Repository with a malicious one," reports CPO magazine. But this newer supply chain attack "targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized." The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP. The backdoor is triggered at the start of a request by checking if the request contains the word "zerodium." If this condition was met, PHP executes the code in the "User-Agentt" request header. The header closely resembles the PHP "User-Agent" request for checking for browser properties.
The rest of the request would thus be treated as a command that could be executed on a PHP server using the server's privileges. This would allow the hackers to run any arbitrary command without the need for further privileges...
PHP powers 80% of all websites. Thus, a successful supply chain attack exploiting the language could prove catastrophic.
Re: (Score:2)
OK, here's some news:
you will die alone.
Here's some bad news for you: everyone does.
Old news (Score:2)
This was already discussed at length a few days ago. Quit recycling...
Hmmmm (Score:3, Funny)
PHP haters, take note:
"PHP powers 80% of all websites."
Okay code snobs, let the hate flow through you!
I like PHP. It's made me a shitload of money over the years, so I'm genuinely looking forward to all the derogatory comments about how "PHP is teh shitty language!!1!"
I'll read them sitting in a fully paid-off, 4-bedroom home that was bought and paid for by PHP.
Is PHP the greatest language in the universe, or even on this block? Nope.
Does PHP have lots of sharp edges? Yep.
Do many of the functions appear to be named by crack addicts with head injuries? Yep.
Do I give a shit? Nope.
Anyway, have at it boys, tell me how awful it is. (I'll try not to rub my private parts with handfuls of $100 bills while you're venting, lol.)
Whatever knobend (Score:2)
Sou herb plantation owners got rich by exploiting slaves. Just because you can make money doing it doesnâ(TM)t make it good.
The sooner php is killed, the better the world will be. Itâ(TM)s a sorry excuse for a platform, built with no forethought or care. And the people that use it are hacks.
Re: (Score:2)
Sou herb plantation owners got rich by exploiting slaves.
Instant fail. Are you really comparing slavery with PHP?
Come on, honey, you can do better than that. Maybe discuss with your psychiatrist why you're so triggered by someone being successful with a language you don't like.
In the meantime, I have to go rub some more $100 bills on my crotch.
Re: (Score:3)
Perhaps you forgot to check that argumentum ad populatum is still a logical fallacy in 2021.
My company makes up some of those 80% powered by PHP, I make my salary supporting PHP web sites and coding PHP code myself, I even like some of the overall language, and PHP happens to be the first language in which I coded any non-toy programs.
Yet it is still pretty much THE shitty language. A primer on how you DO NOT create a programming language, from security hell to just absurd language features that trip you on
Re: (Score:2)
Re: (Score:2)
Finally, someone who gets it.
Do I love PHP? Yes.
Is it because it's such an outstanding language? Nope.
Is it because I've made a borkload of dough with it? Yes.
That's why I love it, not because it's a great language.
Poor "impaledsunset" above got so triggered he practically wrote a book to refute me, when there's nothing to refute, lol.
No argument whatsoever- PHP is a hot mess. And I love it.
Re: (Score:2)
Too long, didn't read.
Anyway, all your whining is pointless. I didn't read much of your post, but I probably don't even disagree with most of what you said.
PHP is a terrible language, and it's made me tons of fucking cash. That was my point.
Anyway, what were you saying? Something something bad language...? I kind of got distracted by the shitloads of money it's made me.
Re: (Score:2)
So? Windows powers 90% of PCs out there. Obviously it doesn't suck? Intel powers the vast majority of PCs out there, it doesn't suck?
Just because something is stupidly popular doesn't mean it doesn't suck. PHP may power most websites out there, but there are plenty of reasons why it sucks. And the bigger problem is because of certain design decisions, there are multiple wrong ways to do things, and the wrongness is now etched forever in stone through StackOverflow and other copy-and-paste code sites.
Re: (Score:2)
Sorry, but I couldn't hear you over the sound of $100 bills being rubbed on my crotch.
PHP may power most websites out there, but there are plenty of reasons why it sucks.
Hey dumb ass, where did I ever claim that PHP didn't suck? Oh yeah, that's right- I didn't. Got any other strawman arguments you'd like me to set fire to?
and the wrongness is now etched forever in stone through StackOverflow and other copy-and-paste code sites.
Damn, it's a good thing that that never happens with any other language on Stack
Re: (Score:2)
Re: (Score:2)
you're constantly having to patch every single website you maintain thanks to some Wordpress developer forgetting momentarily that "0" is the same thing as "", allowing a third party to run arbitrary bitcoin miners on your server farm and grab your ssh keys.
I've never had this issue, probably because I write most of the code that goes on my sites, and also because I try to retrofit code that didn't originate with me with some extra sanitizing and hardening.