"Right, I think it might have been a poorly delivered whitehat, tbqh," responded PHP project developer Sara Golemon, who's served as the release manager for both the 7.2 and current 8.0 branches of PHP, referencing what might have been the efforts of a white hat hacker attempting to do good. "It's the 'REMOVETHIS: sold to zerodium, mid 2017' which has me confused / concerned. freaking obvious," says a participant on PHP's Stack Overflow chat board.
#Php open source code code#
In other words, whoever added the code doesn't appear to have been trying to be stealthy. "REMOVETHIS: sold to zerodium, mid 2017" #PHP- March 29, 2021 In 2017, a zero-day flaw in the PHP was sold to Zerodium, as noted by Mikko Hypponen, chief research officer at Finnish security firm F-Secure. The fake commit calls out Zerodium, a Washington-based security firm that specializes in buying and selling zero-day vulnerabilities. "Code added to the Git source code repository in Popov's name executes PHP code from within the useragent HTTP header, if the string starts with 'zerodium,'" warned developer Michael Voříšek. Zerodium Named in BackdoorĬonfusion continues about what the attacker might have been trying to accomplish. "Membership in the organization requires 2FA to be enabled," he says, meaning anyone who attempts to push code will have to use multifactor authentication to validate their identity. Popov notes that "previously write access to repositories was handled through our home-grown karma system," whereas now anyone who wants to contribute to code will need to sign up to PHP's GitHub organization. "The facts are, we suck at keeping things safe, and should hand over to the professionals." "Yeah, burn it with fire, having our own git servers complicates everything, it's a time sink in every way," PHP contributor Joe Watkins posted in response. "I think this is a priceless opportunity to shut down and declare the github repos canonical," he posted. Popov issued the alert after consulting with other team members via a discussion on the PHP support group on Stack Overflow. This means that changes should be pushed directly to GitHub rather than to ." "Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. "While the investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the server," he adds.
"We don't yet know how exactly this happened, but everything points toward a compromise of the server (rather than a compromise of an individual git account)," he says.
#Php open source code software#
Popov, who's also a software developer focusing on PHP for software development firm JetBrains, says one malicious commit was made in his name, and another in the name of PHP co-author Rasmus Lerdorf.īoth say they did not make those commits, and Popov notes that the project team's core members are now investigating. But the last stable release of PHP to be issued, version 8.0.3, was released on March 4, well before the malicious commit was made on Sunday. It's unclear so far if the backdoored code was downloaded and added to any public-facing websites by anyone handling beta code. Malicious Addition ExcisedĪs of Monday morning, the code had been rolled back to a previous version that doesn't contain the backdoor.
But they found that if an attacker sent a PHP-using website an HTTP request that began with "zerodium," it would allow the attacker to execute arbitrary code. The flaw appears to have been first spotted by PHP developers, including Michael Voříšek, who were reviewing a code change allegedly added to deal with fixing a typo. Market researcher Web Technology Surveys reports that at least 79% of all websites use PHP. Commits refer to adding "safe" code to a project's source code repository so that it will be contained in the next distribution. Git is widely used open-source version-control software.Īn attacker made two "malicious Git commits," Popov says in the security alert. In a Sunday alert, PHP contributor Nikita Popov said that attackers appear to have infiltrated the project's self-hosted Git server. See Also: Live Webinar | A Buyers' Guide: What to Consider When Assessing a CASB
Malicious code added to PHP's source code repository included a reference to zero-day vulnerability broker Zerodium.Īn attacker added a backdoor to a code repository for the widely used, open-source PHP server-side scripting language, the project's developers have warned.
0 kommentar(er)
