Feeds

PHP.net breach: Concern over safety of source code

Poisoned well pondered

Internet Security Threat Report 2014

Maintainers of the PHP programming language spent the past few days scouring their source code for malicious modifications after discovering the security of one of their servers had been breached.

The compromise of wiki.php.net allowed the intruders to steal account credentials that could be used to access the PHP repository, the maintainers wrote in a brief note. They continue to investigate details of the attack, which exploited a vulnerability in the Wiki software and a separate security flaw in Linux. The site has been down since at least Friday.

“Our biggest concern is, of course, the integrity of our source code,” the maintainers wrote. “We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found.”

The current version of PHP, which was released last week, is 5.3.6.

All data on the compromised server has been wiped and the maintainers are forcing password changes for all accounts with access to the source repository.

The advisory omitted key details of the attack, including how long the compromise lasted, how many account credentials were stolen and whether the passwords were securely hashed, as security best practices dictate. PHP maintainers hadn't responded to a request for comment at time of writing.

Word of the attack began circulating on Friday on underground web forums monitored by researchers from France-based Vupen Security. Based on discussions that took place there, the compromise of wiki.php.net appears to have originated from a “Chinese hacker who exploited a vulnerability in the Wiki application (DokuWiki) installed on the server,” Vupen CEO Chaouki Bekrar wrote in an email to The Reg. The attacker “then used a privilege escalation exploit to take complete control of the host system.”

Friday was the same day that a blog post from December resurfaced that raised additional concerns about the integrity of source code available from the PHP repository. Developer Hannes Magnusson said someone was able to make unauthorized modifications to code he had submitted after his account credentials were compromised.

The changes were limited to the insertion of the name "Wolegequ Gelivable" to the credit list of a specific piece of code, rather than malicious modifications. And the unauthorized code was detected within 10 minutes. Nonetheless, the incident prompted concern.

“Its not a great feeling to have your account hacked into, but I do wonder what the intentions were,” Magnusson wrote. “Maybe just an credentials check, which was supposed to be followed by evil commits if noone had spotted the first one? The Chinese government trying to introduce security holes so they can break into PHP websites?”

PHP is an extremely popular language that allows developers to create webpages with dynamically generated content. In 2007 it formed the underpinnings for 20 million domains, according to figures attributed to Netcraft. Websites including Facebook, Yahoo, Wikipedia and WordPress use it extensively.

The attacks aren't the first to hit repositories for a popular open-source software project. In December, the primary distribution channel for the Free Software Foundation was taken down following an attack that compromised some of the website's account passwords and may have given the attacker unfettered administrative access. In May, PHP-Nuke was purged of a nasty infection that for four days attempted to install malware on visitors' machines. ®

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.