PHP.net breach: Concern over safety of source code
Poisoned well pondered
Maintainers of the PHP programming language spent the past few days scouring their source code for malicious modifications after discovering the security of one of their servers had been breached.
The compromise of wiki.php.net allowed the intruders to steal account credentials that could be used to access the PHP repository, the maintainers wrote in a brief note. They continue to investigate details of the attack, which exploited a vulnerability in the Wiki software and a separate security flaw in Linux. The site has been down since at least Friday.
“Our biggest concern is, of course, the integrity of our source code,” the maintainers wrote. “We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found.”
The current version of PHP, which was released last week, is 5.3.6.
All data on the compromised server has been wiped and the maintainers are forcing password changes for all accounts with access to the source repository.
The advisory omitted key details of the attack, including how long the compromise lasted, how many account credentials were stolen and whether the passwords were securely hashed, as security best practices dictate. PHP maintainers hadn't responded to a request for comment at time of writing.
Word of the attack began circulating on Friday on underground web forums monitored by researchers from France-based Vupen Security. Based on discussions that took place there, the compromise of wiki.php.net appears to have originated from a “Chinese hacker who exploited a vulnerability in the Wiki application (DokuWiki) installed on the server,” Vupen CEO Chaouki Bekrar wrote in an email to The Reg. The attacker “then used a privilege escalation exploit to take complete control of the host system.”
Friday was the same day that a blog post from December resurfaced that raised additional concerns about the integrity of source code available from the PHP repository. Developer Hannes Magnusson said someone was able to make unauthorized modifications to code he had submitted after his account credentials were compromised.
The changes were limited to the insertion of the name "Wolegequ Gelivable" to the credit list of a specific piece of code, rather than malicious modifications. And the unauthorized code was detected within 10 minutes. Nonetheless, the incident prompted concern.
“Its not a great feeling to have your account hacked into, but I do wonder what the intentions were,” Magnusson wrote. “Maybe just an credentials check, which was supposed to be followed by evil commits if noone had spotted the first one? The Chinese government trying to introduce security holes so they can break into PHP websites?”
PHP is an extremely popular language that allows developers to create webpages with dynamically generated content. In 2007 it formed the underpinnings for 20 million domains, according to figures attributed to Netcraft. Websites including Facebook, Yahoo, Wikipedia and WordPress use it extensively.
The attacks aren't the first to hit repositories for a popular open-source software project. In December, the primary distribution channel for the Free Software Foundation was taken down following an attack that compromised some of the website's account passwords and may have given the attacker unfettered administrative access. In May, PHP-Nuke was purged of a nasty infection that for four days attempted to install malware on visitors' machines. ®