Feeds

PHP.net breach: Concern over safety of source code

Poisoned well pondered

The Power of One eBook: Top reasons to choose HP BladeSystem

Maintainers of the PHP programming language spent the past few days scouring their source code for malicious modifications after discovering the security of one of their servers had been breached.

The compromise of wiki.php.net allowed the intruders to steal account credentials that could be used to access the PHP repository, the maintainers wrote in a brief note. They continue to investigate details of the attack, which exploited a vulnerability in the Wiki software and a separate security flaw in Linux. The site has been down since at least Friday.

“Our biggest concern is, of course, the integrity of our source code,” the maintainers wrote. “We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found.”

The current version of PHP, which was released last week, is 5.3.6.

All data on the compromised server has been wiped and the maintainers are forcing password changes for all accounts with access to the source repository.

The advisory omitted key details of the attack, including how long the compromise lasted, how many account credentials were stolen and whether the passwords were securely hashed, as security best practices dictate. PHP maintainers hadn't responded to a request for comment at time of writing.

Word of the attack began circulating on Friday on underground web forums monitored by researchers from France-based Vupen Security. Based on discussions that took place there, the compromise of wiki.php.net appears to have originated from a “Chinese hacker who exploited a vulnerability in the Wiki application (DokuWiki) installed on the server,” Vupen CEO Chaouki Bekrar wrote in an email to The Reg. The attacker “then used a privilege escalation exploit to take complete control of the host system.”

Friday was the same day that a blog post from December resurfaced that raised additional concerns about the integrity of source code available from the PHP repository. Developer Hannes Magnusson said someone was able to make unauthorized modifications to code he had submitted after his account credentials were compromised.

The changes were limited to the insertion of the name "Wolegequ Gelivable" to the credit list of a specific piece of code, rather than malicious modifications. And the unauthorized code was detected within 10 minutes. Nonetheless, the incident prompted concern.

“Its not a great feeling to have your account hacked into, but I do wonder what the intentions were,” Magnusson wrote. “Maybe just an credentials check, which was supposed to be followed by evil commits if noone had spotted the first one? The Chinese government trying to introduce security holes so they can break into PHP websites?”

PHP is an extremely popular language that allows developers to create webpages with dynamically generated content. In 2007 it formed the underpinnings for 20 million domains, according to figures attributed to Netcraft. Websites including Facebook, Yahoo, Wikipedia and WordPress use it extensively.

The attacks aren't the first to hit repositories for a popular open-source software project. In December, the primary distribution channel for the Free Software Foundation was taken down following an attack that compromised some of the website's account passwords and may have given the attacker unfettered administrative access. In May, PHP-Nuke was purged of a nasty infection that for four days attempted to install malware on visitors' machines. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.