Attackers place backdoor capability in PHP via Git server infection
Attackers managed to place a backdoor in PHP’s official git repo. Two commits pretended to be minor tweaks, but in reality allow for remote code execution on websites running PHP.
The attack took place on Sunday and was discovered by PHP users. The developers of the programming language have since confirmed that an attack took place. Attackers executed a commit on PHP’s main repository that could open a backdoor on infected websites. It has not been pushed through to release. The commit was supposedly done on behalf of two main PHP programmers, Rasmus Lerdorf and Nikita Popov. The programmers say they don’t know exactly how that happened, but say that “everything indicates” that the Git server git.php.net was attacked, and the commits were not made from, say, an infected Git account.
The backdoor theoretically made it possible to attack websites running PHP. There are many: PHP is run on 79.1 percent of all websites. The websites should then have performed a PHP upgrade after the backdoor was placed. In that case, attackers could send an http request to a vulnerable site and then gain control over the website. The leak has now been repaired. Since the exploit has not made it into a production release, the chance that websites are actually affected is very small.
Notably, the exploit could only be executed if a particular http header contained a string containing the text zerodium. Zerodium is a well-known company that pays money for the purchase of exploits. It’s not clear if there really is a link to Zerodium, but it seems more likely that it involves, for example, a security researcher using the company name to get noticed.
According to the PHP team, the existing Git server is no longer secure. As a precaution, all source code has therefore been moved to Github. The developers emphasize that every developer there must enable two-step verification. There the repos were already seen as read-only, but after the incident they have also become canonical, according to developer Popov.
Update: it has been clarified that this is a commit that did not make it into the release cycle.