PHP maintainer Nikita Popov has published new details regarding the likely cause of a recent PHP source code compromise and insert of malicious code.
In a new blog post, Popov wrote that he no longer believes the incident was caused by a PHP server compromise as he had wrote late last month. Rather, he surmised the incident was likely the result of a user password leak from a PHP master server (master.php.net).
After further analysis of the access logs, Popov noticed none of the suspicious source code commits included any log entries for Gilotine, a tool the PHP team uses for version control and access control. As a result, Popov determined those code commits to git.php.net were pushed by an unauthorized actor via HTTPS and password-based authentication.
Popov further added the master PHP system was running on old code and likely could have contributed to vulnerability exploit and password leak:
“The master.php.net system, which is used for authentication and various management tasks, was running very old code on a very old operating system / PHP version, so some kind of vulnerability would not be terribly surprising.”
To help mitigate the threat, the PHP master server had been migrated to a new system (main.php.net) and all php.net passwords have also been reset. Moreover, the implementation uses parameterized queries, to make sure SQL injections do not occur. Finally, passwords are now stored using bcrypt.
- Drupal patches 2 Critical arbitrary PHP code execution vulnerabilities
- PHP 7 remote code execution vulnerability exploited in the wild
- phpMyAdmin zero-day vulnerability (CVE-2019-12922)
- Nansh0u campaign targets Windows MS-SQL and PHPMyAdmin servers
- Miori IoT botnet spreads through PHP framework RCE vulnerability