PHP Project Says A Security Issue Is Likely Due To A Main Database Leak
The PHP project released an update on the security issue that it released on March 30, indicating that it was now believed that the git.php.net server was not compromised.
Instead, developer Nikita Popov said in a detailed post, the problem was most likely due to a master.php.net database leak.
As iTWire reported, the project moved its operations from its own git server to Microsoft-owned software code repository, GitHub, after two malicious commits were discovered in the php-srx repository on behalf of founder Rasmus Lerdorf and Popov.
PHP is a general-purpose and most widely used scripting language on the web, with popular content management systems like WordPress, Drupal, and Joomla! everything being written using it.
Popov stated that master.php.net has now been moved to a new system, main.php.net. “All php.net passwords have been reset. Go to https://main.php.net/forgot.php to set a new password,” he added. “git.php.net and svn.php.net are both read-only now, but will remain available for now.”
Elaborating on what happened, Popov said that when the first malicious commit was made under the name Lerdorf, the change was reverted and access to Lerdorf’s account was revoked assuming he was was an individual account compromise.
“Looking back, this action didn’t really make sense, as there was (at the time) no reason to believe that the push happened through Rasmus’s account in particular,” a- he writes. “Any account with access to the php-src repository could have performed the push under a false name.”
Once the second malicious commit was noticed, Popov said he looked closely at the logs of the project’s gitolite installation to try to find out which account was used to perform these commits.
But while all adjacent commits were taken into account, no git-receive-pack entry was present for the two malicious commits. This meant that these two commits completely bypassed the gitolite infrastructure and were therefore interpreted as indicating a compromise on the server.
“Shortly after, we made the decision to shut down git.php.net and make GitHub our primary repository host instead. Keeping our own git infrastructure would have required setting up a new git.php server. .net after determining the root cause of the. compromise, ”Popov said.
“It would take a long time and disrupt PHP development in the meantime. A basic migration to GitHub could be done much faster, as most of the repositories were already reflected there.
“At this point, a lot of the development was already underway through GitHub anyway, and our own git infrastructure was primarily a security issue and a complication for the development workflow, so it wasn’t a decision. difficult to make the change. “
He said he was unaware at the time that git.php.net was (intentionally) supporting the push for changes not only through SSH (using gitolite infrastructure and public key cryptography), but also via HTTPS.
“The latter was not using gitolite, but instead used git-http-backend behind Apache2 Digest authentication against the master.php.net user database,” he said. “I’m not sure why password authentication was supported in the first place, as it is much less secure than public key authentication.”
Popov provided an excerpt from the access logs, from which he said it could be determined that the validations were transmitted using HTTPS and password-based authentication.
Among the commits, he observed: “Note that the attacker only makes a few assumptions about usernames, and successfully authenticates once the correct username has been found. we have no specific evidence for this, one possible explanation is that the master.php.net user database has been leaked, although it is
not sure why the attacker would need to guess the usernames in this case. “
Popov said a number of changes have been made to enhance security:
- “master.php.net has been migrated to a new system (running PHP 8) and renamed main.php.net at the same time. Among other things, the new system supports TLS 1.2, which means you should no longer see TLS version warnings when accessing this site;
- “The implementation has been moved to using parameterized queries, to make sure that SQL injections cannot occur;
- “Passwords are now stored using bcrypt; and
- “The existing passwords have been reset (use main.php.net/forgot.php to generate a new one).”
BIG OPENING OF THE ITWIRE BOUTIQUE
The long-awaited iTWire store is now open to our readers.
Visit the iTWire Store, a premier destination for stylish accessories, gear and gadgets, lifestyle products and everyday portable office supplies, drones, zooms for smartphones, software and online training.
PLUS major brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.
Products available for all countries.
We hope you enjoy and find value in the highly anticipated iTWire store.
ENTER THE SHOP NOW!
INTRODUCING ITWIRE TV
iTWire TV offers unique value to the tech industry by providing a range of video interviews, news, views and reviews, and also provides the ability for vendors to promote your business and marketing messages.
We work with you to develop the message and conduct the interview or product review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it on the ITWire homepage, linked to your post.
Additionally, your interview post post can be displayed in up to 7 different post postings on our iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.
We also provide 3 videos in one recording / session if you need them so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.
Find out about the latest tech news, opinions, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.
SEE WHAT’S NOW ON ITWIRE TV!