PHP repository moved to GitHub after malicious code inserted under creator Rasmus Lerdorf's name
Backdoor quickly spotted and reverted
The main code repository for PHP, which powers nearly 80 per cent of the internet, was breached to add malicious code and is now being moved to GitHub as a precaution.
"Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account)," said PHP maintainer Nikita Popov, who works with the PHP team at JetBrains.
The malicious code is a backdoor into servers running the modified version. "This line executes PHP code from within the useragent HTTP header, if the string starts with 'zerodium'," explained PHP developer Jake Birchall.
The code was inserted under the misleading name "Fix typo" and claimed to be signed off by Rasmus Lerdorf, the creator of PHP. The attribution is "just part of the commit message," said Popov in a discussion on StackOverflow.
Popov reverted the code, which was then restored by a criminal seven hours later, using Popov's name. The backdoor survived for one hour before being again removed.
The backdoor code was inserted yesterday under the title "fix typo" and attributed to PHP creator Rasmus Lerdorf
GitHub repos now canonical
The incident is still being investigated, but Popov said: "We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net."
Write access to PHP repositories will now require membership of the PHP organisation as well as enabling two-factor authentication for GitHub. Popov added: "We're reviewing the repositories for any corruption beyond the two referenced commits."
Even if we don't require it, we should STRONGLY encourage it. I've been signing my commits for several years now, it's not even that hard
"The PHP project is notoriously bad with infrastructure, it just doesn't have the funds to dedicate someone to it at the level necessary," said Mark Randall, a software engineer, on StackOverflow. "GitHub is offering its services for free to us, just as it does to everyone else. We'd be silly to pass up the opportunity, if anything it's just a shame it took an attack to incentivise the move."
The incident has renewed pressure from the community for cryptographic signing of code commits. "Even if we don't require it, we should STRONGLY encourage it. I've been signing my commits for several years now, it's not even that hard," said developer Sara Golemon in a comment to Popov's announcement.
Lerdorf himself appeared to favour the proposal, saying: "I think for php-src commits we can require it. For doc and other repos we can make it optional for now until people are more comfortable with it."
PHP is used by "79.1 per cent of all the websites whose server-side programming language we know," according to statistics from W3techs.
The brief appearance of malicious code in the official repository does not mean it will make its way into many of those servers. PHP is most often installed from distribution repositories, such as those for Red Hat or Ubuntu, which are unlikely to be affected, unless malicious commits that have survived for longer are revealed.
Even so, the successful breach of the main PHP repository is a matter of great concern, as well as raising the question of how well other open-source repositories are protected – though the speed at which the PHP community noticed the problem is reassuring.
Google's open-source security team lead Dan Lorenc told us: "We require that all open source we use is built by us, from our internal repositories."
Lorenc said this was mainly to ensure that it could build and patch the code itself if necessary, but it also reduces the risk from an incident such as this, if it is caught before the code is replicated.
Immediate action is required by maintainers of PHP repositories that pull code from the official source, which is to change the upstream repository to email@example.com:php/php-src.git. ®