Recently, the PHP security team prevented a supply chain breach that could have resulted in a backdoor being installed on a large number of web servers.
Unidentified hackers obtained access to the official PHP Git server and planted a loophole in the programming language’s source code, placing websites that use the corrupted code at risk of full takeover. The incident didn’t have the same widespread effect as the recent SolarWinds breach or other supply chain attacks in which backdoors were embedded in secure software releases and distributed to daily users. However, it caused the PHP Community, which manages PHP, to rethink how its code infrastructure is managed.
PHP Repository Incident
Recently, the hackers uploaded two malicious commits to the php-src repository, one signed by PHP creator Rasmus Lerdorf and the other by Nikita Popov, a well-known PHP developer and maintainer. The first commit purportedly corrected a small typo in the code, while the second purportedly undid the patch.
The code was essentially a backdoor that allowed an hacker to execute arbitrary code on any web server running the trojanized version of PHP by simply sending requests to it with a specially designed string in the HTTP header.
Popov said in a statement that “We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),”
Popov informed BleepingComputer that the first commit was found during a routine post-commit code review, and the changes were instantly reversed – before they could be pushed into production environments. In web development, the open-source server-side language is widely used.
Contributors Markus Staab, Michael Voek, and Jake Birchall were the first to note the code shift. When Voek became suspicious of the code shift, he inquired about its intent, to which Birchall replied that the “line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’.”
Indeed, the attackers seem to have intended to blame Zerodium, which bills itself as “the leading exploit acquisition site for premium zero-days.” The zero-day broker, according to its CEO, had nothing to do with the incident.
Damage Control
To reduce the risks, the PHP team agreed to step away from its own Git infrastructure after the breach. Popov said “While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net,”
PHP’s developers are now calling for more protections. Previously, developers who wanted to contribute had to use the organization’s “home-grown” karma system; now, they must enter PHP’s GitHub repository and allow two-factor authentication.
Meanwhile — beyond the two commits — the PHP development team and security auditors are still reviewing and checking the repositories for any further indicators of compromise or malicious code. But they have agreed to avoid using their own git infrastructure and make the GitHub repositories canonical throughout the meantime.