Another in an ongoing series of hackers attacking developer resources, last week The Bleeping Computer reported that the PHP Git repository was hacked in an attempt to add a backdoor to the PHP source code.
Yesterday two maliciously tainted files were uploaded to git.php.net and signed by two actual PHP developers (Rasmus Lerdorf and Nikita Popov) to appear legitimate.
“The first commit was found a couple of hours after it was made, as part of routine post-commit code review. The changes were rather obviously malicious and reverted right away.”
How Has PHP Responded?
An investigation showed that the hackers had not compromised the developer accounts but the server itself, which was alarming. As a result, PHP has decided to migrate official PHP code to GitHub and decommission their server altogether. PHP officials commented that “While the investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk and that we will discontinue the git.php.net server.”
Popov further commented that “Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.” They also noted that all changes and updates going forward will be updated to GitHub directly and that any contributing developers must be added to the PHP organization on GitHub.
Anyone interested can read the full security announcement here. Those who will be joining must have 2-factor authentication turned on in their GitHub account.
The company is examining all code committed to the server to look for any additional compromised files. Because of the quick discovery and response, PHP does not believe that the malicious code made it into “any tags or release artifacts.”
The affected files were part of a development version of PHP 8.1 that won’t be released to the public until later this year.
What is PHP?
PHP is a server-side programming language used for building websites and web applications. It was developed in 1994 by Rasmus Lerdorf, a Danish-Canadian programmer. The acronym originally stood for “Personal Home Page” but was later changed to “HP: Hypertext Preprocessor.”
PHP is the backbone for many content management systems (WordPress, Drupal, Joomla, etc.). PHP only works on servers with it installed. Most hosting companies support PHP. PHP is open-source and free to use.
PHP is relatively easy to learn as opposed to other programming languages. It is regularly updated and well supported, which makes it a popular choice among new developers. PHP works seamlessly with MYSQL, and you can also use it with other databases like Postgres, Oracle, MS SQL Server, and ODBC, among others. It can easily be integrated within HTML code, making it light and easy to use.
Roughly 20 million websites and applications use PHP code. Due to its wide use and gaining popularity, the attack on PHP source code is extremely alarming. Had the new version been rolled out with malicious code included, millions of potential victims could have been affected. Thankfully, PHP has a process in place for new commits that checks every line of code for anything suspicious. This time, the crisis was averted.