Attackers place backdoor capability in PHP via infection of Git server – Computer – News

Attackers have managed to put a backdoor into PHP’s official git repo. Two commits pretended to be minor changes, but actually allow for a remote code execution to be executed on websites running PHP.

The attack took place on Sunday and was discovered by PHP users. The creators of the programming language now confirm that an attack took place. Attackers argued a commit out on the main repository of PHP that could open a back door on infected websites. It has not been carried through to the release. The commit was supposedly made on behalf of two PHP chief programmers, Rasmus Lerdorf and Nikita Popov. The programmers say they do not know exactly how that happened, but say that “everything indicates” that the Git server git.php.net was attacked, and the commits were not made from an infected Git account, for example.

The back door theoretically made it possible to attack websites running PHP. There are many: PHP becomes on 79.1 percent of all websites. The websites should then have performed a PHP upgrade after the back door was posted. In that case, attackers could send an http request on a vulnerable site and then gain control over the website. The leak is now poem again. Since the exploit was not released in a production release, the chances are very small that websites were actually affected.

Interestingly, the exploit could only be executed if a particular http header contained a string containing the text zerodium contained. Zerodium is a well-known company that pays money for the purchase of exploits. It is not clear whether there is really a link with Zerodium, but it seems more likely that it is, for example, a security researcher who uses the company name to stand out.

According to the PHP team, the existing Git server is no longer secure. As a precaution, therefore, all source code has been moved to Github. The developers emphasize that every developer there must turn on two-step verification. There, the repos were already seen as read-only, but after the incident they are also, according to developer Popov canonical become.

Update: it has been clarified that this is a commit that has not entered the release cycle.

–