More details released about the incident, though the attacker remains unidentified
The maintainers of PHP have released a post-mortem report after an unknown actor pushed backdoored code onto the scripting language’s official PHP Git repository.
They are thought to have gained access to the main server, which allowed them to plant the backdoor under the guise of a minor edit made in a maintainer’s name.
Last night (April 6), maintainer Nikita Popov released more details related to the attack and said the team no longer believes the git.php.net server was compromised, but that the master.php.net user database was leaked.
The update includes information on a series of changes made to improve security, including that the master.php.net has been migrated to a new system, main.php.net.
All php.net passwords have been reset and users need to request a new one via the ‘forgot password’ function.
Popov also revealed that both git.php.net and svn.php.net are now read-only “but will remain available for the time being”.
After first suspecting that PHP co-creator Rasmus Lerdorf’s account had been compromised, Popov said she investigated the PHP giolite installation to determine which account pushed the malicious code.
It was then that she realized that there were no git-receive-pack entries for the two malicious commits, meaning that they bypassed the gitolite infrastructure entirely.
“This was interpreted as likely evidence of a server compromise,” wrote Popov.
The team then discontinued the git.php.net server and migrated to GitHub as the repository host.
Popov also found that git.php.net intentionally supported pushing changes not only via SSH
but also via HTTPS.
“The latter did not use gitolite, and instead used git-http-backend behind Apache2 Digest authentication against the master.php.net user database.”
Popov added: “Based on access logs, we can determine that the commits were indeed pushed using HTTPS and password-based authentication.”
Unclear entry point
The team suspects that a database leak gave the malicious attacker access to the passwords, though they also made several attempts to guess usernames, with Popov writing that “it is unclear why the attacker would need to guess usernames in that case”.
In light of a possible leak, changes have been made including migrating to master.php.net, which is running PHP 8, and introducing support for TLS1.2.
Popov also noted that the implementation has been moved towards using parameterized queries, “to be more confident that SQL injections cannot occur”.
Passwords are now stored using bcrypt after previously being stored in a format compatible with HTTP Digest authentication – “essentially a plain md5 hash” – which was required for HTTP authentication on git.php.net and svn.php.net.
More details on the changes can be found in Popov’s advisory.