Recent security updates from the maintainers of the PHP programming language have unveiled a breach potentially compromising user credentials. In late March, unauthorized actors are believed to have accessed the user database at master.php.net, raising serious concerns about repository integrity and security.
Nikita Popov, a PHP maintainer, indicated in a communication on April 6 that while they no longer suspect the git.php.net server itself has been infiltrated, there is a risk that the user database may have been exposed. This potential breach raises alarms regarding the exposure of passwords, which could facilitate unauthorized modifications to the PHP repository.
The incident, initially perceived as a compromise of the server, involved the use of prominent figures’ identities, including Rasmus Lerdorf and Popov, to inject malicious code into the “php-src” repository. This action is illustrative of a supply chain attack, where malicious changes are made to a software supply chain, potentially impacting a wide range of users.
Upon deeper investigation, it was determined that the attackers leveraged HTTPS and password-based authentication for the malicious commits. This revelation suggests a potential breach of the master.php.net database, which was suspected after observers noted that the attacker only needed to guess a few usernames to gain access. Popov highlights the fact that the server’s configuration allowed pushes via HTTPS, which did not utilize the same security protocols as SSH, thus increasing vulnerability.
Furthermore, it has come to light that the server’s underlying authentication system operates on outdated software. This factor not only raises concerns about the integrity of the user database but also suggests that attackers may have exploited existing vulnerabilities in older software versions to carry out the attack.
In response to these escalating security concerns, PHP maintainers have transitioned the master.php.net system to a revamped main.php.net infrastructure, incorporating TLS 1.2 for enhanced security. Additionally, they have undertaken the critical step of resetting all user passwords, adopting bcrypt for password hashing instead of relying on less secure methods like MD5.
This incident serves as a stark reminder to organizations about the importance of maintaining robust cyber defenses, particularly concerning software supply chain vulnerabilities. The tactics employed in this breach—such as initial access through credential guessing and the potential exploitation of software vulnerabilities—pose a significant risk to both individual developers and larger enterprises relying on secure coding practices.
As the cybersecurity landscape continues to evolve, staying informed of such incidents and adopting proactive measures are essential for mitigating risks associated with both known and unknown vulnerabilities.
