PHP Maintainers Shared Update On PHP Source Code Compromise

PHP maintainer Nikita Popov have released a report after an unknown actor pushed backdoored code onto the official PHP Git repository.

The maintainers of the PHP programming language have issued an update regarding the security incident that came to light late last month, stating that the actors may have gotten hold of a user database containing their passwords to make unauthorized changes to the repository.

The PHP code repository was compromised two weeks ago with the insertion of code that, if left in place, would have enabled a backdoor into any web server running it. The code was initially committed in the name of Rasmus Lerdorf, creator of PHP. After it was removed, it was recommitted under Popov’s name.

This was initially treated as a compromise of the git.php.net server. Further investigation into the incident has revealed that the commits were a result of pushing them using HTTPS and password-based authentication. This leading them to suspect a possible leak of the master.php.net user database.

We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked,

Nikita Popov said

The team suspects that a database leak gave the malicious attacker access to the passwords. However they also made several attempts to guess usernames.

While we don’t have any specific evidence for this, a possible explanation is that the user database of master.php.net has been leaked, although it is unclear why the attacker would need to guess usernames in that case,

Nikita Popov explained

Actions taken

The update includes information on a series of changes made to improve security. Above all, the master.php.net has been migrated to a new system, main.php.net.

In response to the incident, all php.net passwords have been reset. In addition, the use of the git.php.net server has been discontinued in favor of GitHub. Expected, steps have been taken to make master.php.net more secure. Passwords are now stored using bcrypt after previously being stored in a format compatible with HTTP Digest authentication.

You can check out the full announcement here.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%