The maintainers of the PHP programming language have issued an replace concerning the safety incident that got here to mild late final month, stating that the actors could have gotten maintain of a consumer database containing their passwords to make unauthorized modifications to the repository.
“We not consider the git.php.internet server has been compromised. Nonetheless, it’s attainable that the grasp.php.internet consumer database leaked,” Nikita Popov said in a message posted on its mailing record on April 6.
On March 28, unidentified actors used the names of Rasmus Lerdorf and Popov to push malicious commits to the “php-src” repository hosted on the git.php.internet server that concerned including a backdoor to the PHP supply code in an occasion of a software program provide chain assault.
Whereas this was initially handled as a compromise of the git.php.internet server, additional investigation into the incident has revealed that the commits had been a results of pushing them utilizing HTTPS and password-based authentication, main them to suspect a attainable leak of the grasp.php.internet consumer database.
The “git.php.internet (deliberately) help[s] pushing modifications not solely through SSH (utilizing the Gitolite infrastructure and public key cryptography), but additionally through HTTPS,” Popov stated. “The latter didn’t use Gitolite, and as an alternative used git-http-backend behind Apache 2 Digest authentication in opposition to the grasp.php.internet consumer database.”
“It’s notable that the attacker solely makes a number of guesses at usernames, and efficiently authenticates as soon as the right username has been discovered. Whereas we have no particular proof for this, a attainable clarification is that the consumer database of grasp.php.internet has been leaked, though it’s unclear why the attacker would want to guess usernames in that case.”
Moreover, the grasp.php.internet authentication system is alleged to be on a really outdated working system and a model of PHP, elevating the likelihood that the attackers could have additionally exploited a vulnerability within the software program to stage the assault.
As a consequence, the maintainers have migrated grasp.php.internet to a brand new major.php.internet system with help for TLS 1.2, along with resetting all present passwords and storing passwords utilizing bcrypt as an alternative of a plain MD5 hash.