The widely used PHP web scripting language has been ridiculed this week. A hacker added three lines of code in a stealthy attempt to add an obvious backdoor.

A hilarious joke, maybe. But the real question is: what was added via the same Git vulnerability? Considering that around 80% of the web depends on PHP in one way or another, this is a serious and urgent matter.

Like many of these projects, PHP works with minimal resources, but it is a critical infrastructure around the world. In this week Security Blogwatch, we will never give up on you.

Your humble blogger has curated these blog posts for your entertainment. Not to mention: Panorama.

PHP Group will close its doors

What is the craic? Ax Sharma collects the spaghetti code—Hacked Git server to add backdoors to PHP source code:

Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The threat actors had signed these validations as if they had been made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov.
…
The incident is alarming given that PHP remains the server-side programming language to power over 79% of websites on the Internet. … According to PHP maintainers, this malicious activity originated from the compromised git.php.net server, rather than the compromise of an individual’s Git account. [So they] decided to migrate the official PHP source code repository to GitHub.
…
“The changes weren’t turned into tags or release artifacts. … The changes concerned the development branch of PHP 8.1, which is expected to be released at the end of the year.” [said] Popov.

And Catalin Cimpanu erupts like Mount Edgecumbe –Hacker backdoor PHP source code:

The backdoor mechanism was first spotted by Michael Voříšek, a Czech software engineer. Had the malicious code gone into production, the code would have allowed threat actors to run their own malicious PHP commands on victims’ servers.
…
Due to the security breach, the PHP team decided … that their internal Git server was no longer trustworthy. … At the end of 2018, hackers also compromised the official site of the PHP PEAR Extensions System and hosted a backdoor version of the PHP PEAR Package Manager for nearly six months in an incident that has yet to be explained today.

PHP FTW? Nikita Popov lives mainly on the island of Basse Caisse:

Two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don’t know exactly how it happened yet [but] we have decided that maintaining our own git infrastructure is an unnecessary security risk.
…
We review the repositories for any corruption beyond the two referenced commits. Please contact [email protected] if you notice anything.

Ding ding ding ding ding. b0llchit the Taco Liberty Bell rings:

When our (development) infrastructure is concentrated on one or a few sites like github, we make ourselves just as vulnerable, if not more, than when we use our own infrastructure. These companies provide “free” only to the extent that they profit from it.
…
When the wind changes or new management arrives, you could be in an even worse situation than before. A breach also has more impact at a centralized location.
…
Infrastructure costs money and requires a lot of expertise. Yes, it is easy to outsource this. It may even be cheap at first. Costs will come eventually and will likely be higher than expected.

What a slop den. Mark Randall stops before blaming Congress:

The PHP project… just doesn’t have the funds to devote somebody to it. … Github offers us its services for free, like everyone else. We would be foolish to pass up the opportunity. If anything, it’s just a shame it took an attack to prompt the move.
…
The PHP development team is tiny, its operations team is even smaller, 1 or 2 people at most.

It’s like Nixon is saying, “I didn’t do anything wrong and I won’t do it again.” Here is Michael Wojcik:

Frankly, the idea that 80% of websites… use PHP is already more than a little worrying. If the PHP organization had the resources of Apple, I wouldn’t feel better with the language.

Not exactly a subtle commit, however. kenmacd stands in the middle of the rubble of the Space Needle:

I would say the reason it doesn’t hide better is because it’s specifically meant not to hide. … The commit was almost certainly never meant to enter a server log, it was meant to be seen, and it was.
…
The vulnerability that interests us is the one that allowed these commits to be injected… the backdoor into the PHP code repository.

You will believe that an Adélie penguin can fly. Just like Xavin:

Just another example of why you should never try to deploy your own security related infrastructure unless you really Know what you are doing.

Think deeper. rsilvergun opens a box of delicious unicorn meat:

Is it just me, or is it terrifying how much our IT infrastructure is built from these relatively small projects?

Meanwhile, this Anonymous coward bite into a left-handed BK Whopper:

“We don’t know exactly how it happened yet.” My guess: because it was written in PHP.

The insane moral of the story?

How much of your infrastructure relies on poorly funded open source projects?

And stupidly

Shoot the other one, Aunty. There are bells.

Hat Tip: Alex Boese’s Top 100 April Fools Hoax

Previously on “And finally”

Have you read Security Blogwatch by Richi Jennings. Richi curates the best blog posts, the best forums, and the weirdest websites… so you don’t have to. Hateful messages can be directed to @RiCHi or [email protected] Ask your doctor before reading. Your mileage may vary. E&OE. 29¾.

Zomgsauce of this week: Tomi Knuutila (cc: by-nc)

Keep learning