fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PHP’s Git Server Hacked To Add Backdoors To PHP Source Code

PHP’s Git Server Hacked To Add Backdoors To PHP Source Code

In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with.

Yesterday, two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server.

The threat actors had signed off on these commits as if these were made by known PHP developers and maintainers, Rasmus Lerdorf  and Nikita Popov.

RCE backdoor planted on PHP Git server

In an attempt to compromise the PHP code base, two malicious commits were pushed to the official PHP Git repository yesterday.

The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet. 

In the malicious commits [12] seen by BleepingComputer, the attackers published a mysterious change upstream, “fix typo” under the pretense this was a minor typographical correction.

Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues

A malicious commit that attackers signed off on as Rasmus Lerdorf (illicitly) plants a remote code execution backdoor

However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP.

“This line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’,” responded PHP developer Jake Birchall to Michael Voříšek, who had first pointed out the anomaly.

In an email interview, PHP maintainer Nikita Popov told us:

“The first commit was found a couple hours after it was made, as part of routine post-commit code review. The changes were rather obviously malicious and reverted right away,” Popov told BleepingComputer.

Additionally, the malicious commit was made in the name of PHP creator, Rasmus Lerdorf.

But, that is hardly surprising as with source code version control systems like Git, it is possible to sign-off a commit as coming from anybody else locally and then upload the forged commit to the remote Git server, where it gives off the impression as if it had indeed been signed-off by the person named on it.

Official announcement (linked below) states the incident points towards a server compromise

Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual’s Git account.

PHP official code base migrated to GitHub

As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub.

“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server.”

“Instead, the repositories on GitHub, which were previously only mirrors, will become canonical,” announced Popov.

With this change going forward Popov insists that any code changes be pushed directly to GitHub rather than the git.php.net server from this point on.

Those interested in contributing to the PHP project will now need to be added as a part of PHP organization on GitHub.

The instructions on that are provided in the same security announcement.

For membership in the organization you would need to have two-factor authentication (2FA) enabled on your GitHub account.

“We’re reviewing the repositories for any corruption beyond the two referenced commits,” says Popov.

BleepingComputer reached out to both Popov and the PHP security team to find out the complete extent of this compromise, and if any code was distributed downstream before the malicious commits were caught.

“It may have been cloned/forked in the meantime, but the changes did not make it into any tags or release artifacts.”

“The changes were on the development branch for PHP 8.1, which is due to release at the end of the year,” Popov further told BleepingComputer.

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

The PHP team has confirmed to BleepingComputer that they plan on eventually decommissioning their git server in the upcoming days and move to GitHub permanently.

This is a developing story.

Update 29-Mar-21 7:22 AM ET: Added response from PHP maintainer Nikita Popov.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us