An unknown malicious actor has compromised the official PHP Git repository in attempt to add backdoors to the code base of the PHP project.
According to PHP programming language developer and maintainer Nikita Popov, the incident took place last Saturday, on March 28. He said that two malicious commits were pushed to the php-src repository in both his name and that of PHP creator Rasmus Lerdorf.
“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov explained, adding that the maintainers decided to discontinue the git.php.net server because “maintaining our own git infrastructure is an unnecessary security risk.”
“This means that changes should be pushed directly to GitHub rather than to git.php.net,” Popov said.
The malicious commits were disguised as benign typographical errors that needed to be corrected, however, taking a closer look at the line 370 where zend_eval_string function is called contributors noticed that the code actually adds a backdoor that allows malicious code execution on a website running the vulnerable PHP version. The malicious code is executed from within the useragent HTTP header, if the string starts with ‘zerodium’, the name of a well-known exploit seller.
Commenting on the situation, Zerodium’s chief executive Chaouki Bekrar labeled the culprit as a “troll” and said that his company has “nothing to do with this.”
“Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun,” Bekrar tweeted.