Feeds

PHP.net breach: Concern over safety of source code

Poisoned well pondered

Providing a secure and efficient Helpdesk

Maintainers of the PHP programming language spent the past few days scouring their source code for malicious modifications after discovering the security of one of their servers had been breached.

The compromise of wiki.php.net allowed the intruders to steal account credentials that could be used to access the PHP repository, the maintainers wrote in a brief note. They continue to investigate details of the attack, which exploited a vulnerability in the Wiki software and a separate security flaw in Linux. The site has been down since at least Friday.

“Our biggest concern is, of course, the integrity of our source code,” the maintainers wrote. “We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found.”

The current version of PHP, which was released last week, is 5.3.6.

All data on the compromised server has been wiped and the maintainers are forcing password changes for all accounts with access to the source repository.

The advisory omitted key details of the attack, including how long the compromise lasted, how many account credentials were stolen and whether the passwords were securely hashed, as security best practices dictate. PHP maintainers hadn't responded to a request for comment at time of writing.

Word of the attack began circulating on Friday on underground web forums monitored by researchers from France-based Vupen Security. Based on discussions that took place there, the compromise of wiki.php.net appears to have originated from a “Chinese hacker who exploited a vulnerability in the Wiki application (DokuWiki) installed on the server,” Vupen CEO Chaouki Bekrar wrote in an email to The Reg. The attacker “then used a privilege escalation exploit to take complete control of the host system.”

Friday was the same day that a blog post from December resurfaced that raised additional concerns about the integrity of source code available from the PHP repository. Developer Hannes Magnusson said someone was able to make unauthorized modifications to code he had submitted after his account credentials were compromised.

The changes were limited to the insertion of the name "Wolegequ Gelivable" to the credit list of a specific piece of code, rather than malicious modifications. And the unauthorized code was detected within 10 minutes. Nonetheless, the incident prompted concern.

“Its not a great feeling to have your account hacked into, but I do wonder what the intentions were,” Magnusson wrote. “Maybe just an credentials check, which was supposed to be followed by evil commits if noone had spotted the first one? The Chinese government trying to introduce security holes so they can break into PHP websites?”

PHP is an extremely popular language that allows developers to create webpages with dynamically generated content. In 2007 it formed the underpinnings for 20 million domains, according to figures attributed to Netcraft. Websites including Facebook, Yahoo, Wikipedia and WordPress use it extensively.

The attacks aren't the first to hit repositories for a popular open-source software project. In December, the primary distribution channel for the Free Software Foundation was taken down following an attack that compromised some of the website's account passwords and may have given the attacker unfettered administrative access. In May, PHP-Nuke was purged of a nasty infection that for four days attempted to install malware on visitors' machines. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.