The PHP project released an update on the security issue which it released on March 30, claiming that the git.php.net server was now believed to be unaffected.
Instead, developer Nikita Popov said in a detailed article, the problem was most likely due to a master.php.net database leak.
As iTWire reported, the project moved its operations from its own git server to the software code repository owned by Microsoft GitHub after two malicious commits were discovered in the php-srx repository on behalf of founder Rasmus Lerdorf and Popov.
PHP is a general-purpose and most widely used scripting language on the web, with popular content management systems like WordPress, Drupal, and Joomla! everything is written using it.
Popov stated that master.php.net has now been moved to a new system, main.php.net. “All php.net passwords have been reset. Go to https://main.php.net/forgot.php to set a new password,” he added. “git.php.net and svn.php.net are both read-only now, but will remain available for now.”
Elaborating on what happened, Popov said that when the first malicious commit was made under the Lerdorf name, the change was reverted and access to Lerdorf’s account was revoked assuming he was was an individual account compromise.
“In hindsight, this action didn’t really make sense, as there was (at the time) no reason to believe that the push had happened through Rasmus’s account in particular,” he said. -he writes. “Any account with access to the php-src repository could have performed the push under a false name.”
After the second malicious commit was noticed, Popov said he looked closely at the logs of the project’s gitolite installation to try to find out which account was used to perform these commits.
But while all adjacent commits were taken into account, no git-receive-pack entry was present for the two malicious commits. This was interpreted to mean that these two commits completely bypassed the gitolite infrastructure and were therefore interpreted as indicating a server compromise.
“Shortly after that we made the decision to shut down git.php.net and make GitHub our primary repository host instead. Keeping our own git infrastructure would have required setting up a new git server. php.net after determining the root cause of the compromise, ”Popov said.
“It would take a long time and disrupt PHP development in the meantime. A basic migration to GitHub could be done much faster, as most repositories were already mirrored there.
“At this point a lot of development was already going through GitHub anyway, and our own git infrastructure was primarily a security issue and a complication of the development workflow, so it wasn’t a hard decision to make the switch. .
He said he was unaware at the time that git.php.net (intentionally) supported changes not only over SSH (using gitolite infrastructure and public key cryptography), but also over HTTPS.
“The latter did not use gitolite, but instead used git-http-backend behind Apache2 Digest authentication against the master.php.net user database,” he said. “I’m not sure why password authentication was supported in the first place, as it is much less secure than public key authentication.”
Popov provided an excerpt from the access logs, from which he said it could be determined that validations were pushed using HTTPS and password authentication.
Among the commits, he observed: “It should be noted that the attacker only makes a few assumptions about usernames and successfully authenticates once the correct username has been found. While we have no specific evidence for this, one possible explanation is that the master.php.net user database has been leaked, although it is
unclear why the attacker would need to guess the usernames in this case. “
Popov said a number of changes have been made to enhance security:
- “master.php.net has been migrated to a new system (running PHP 8) and renamed to main.php.net at the same time. Among other things, the new system supports TLS 1.2, which means you shouldn’t no longer see the TLS version of the warnings when accessing this site;
- “The implementation has been moved to using parameterized queries, to make sure that SQL injections cannot occur;
- “Passwords are now stored using bcrypt; and
- “The existing passwords have been reset (use main.php.net/forgot.php to generate a new one).”
BIG OPENING OF THE ITWIRE BOUTIQUE
The highly anticipated iTWire Shop is now open to our readers.
Visit the iTWire Store, a premier destination for stylish accessories, gear and gadgets, lifestyle products and everyday portable office essentials, drones, smartphone zooms, software and training in line.
PLUS major brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.
Products available for all countries.
We hope you enjoy and find value in the highly anticipated iTWire store.
ENTER THE STORE NOW!
INTRODUCING ITWIRE TV
iTWire TV offers unique value to the tech industry by providing a range of video interviews, news, views and reviews, and also provides the ability for vendors to promote your business and marketing messages.
We work with you to develop the message and conduct the product interview or review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it on the ITWire homepage, linked to your post.
Additionally, your interview post message can be displayed in up to 7 different post views on our iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.
We also provide 3 videos in one recording / session if you need them so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.
Get the latest tech news, views, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.