Git.PHP.net Not Compromised in Supply Chain Attack, but User Database Leak Possible

Inside.com’s developer newsletter reports: The PHP team no longer believes the git.php.net server was compromised in a recent attack, which prompted PHP to move servers to GitHub and caused the team to temporarily put releases on hold until mid-April…

In an update offering further insight into the root cause of the late March attack, the team says because it’s possible the master.php.net user database was exposed, master.php.net has been moved to main.php.net. The team also reset php.net passwords, and you can visit https://main.php.net/forgot.php to set a new password. In addition, git.php.net and svn.php.net are both read-only now.

Two malicious commits were pushed to the php-src repo from PHP founder Rasmus Lerdorf and PHP core developer Nikita Popov, Popov announced March 28. After an investigation, the PHP team reassured users these malicious commits never reached end-users. However, the team decided to move to GitHub after determining maintaining its own git infrastructure is “an unnecessary security risk.”


“In 2019, the PHP team temporarily shut down its Git server after discovering that an attacker had maliciously replaced the official PHP Extension and Application Repository with a malicious one,” reports CPO magazine. But this newer supply chain attack “targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized.” The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP. The backdoor is triggered at the start of a request by checking if the request contains the word “zerodium.” If this condition was met, PHP executes the code in the “User-Agentt” request header. The header closely resembles the PHP “User-Agent” request for checking for browser properties.

The rest of the request would thus be treated as a command that could be executed on a PHP server using the server’s privileges. This would allow the hackers to run any arbitrary command without the need for further privileges…

PHP powers 80% of all websites. Thus, a successful supply chain attack exploiting the language could prove catastrophic.