Update to recent git.php.net incident

A recent news of presumably compromised git.php.net attracted many tech publications.

PHP uses Git as its version controlling system, and had a Git server hosted on git.php.net. It contained the full PHP source with the entire commit history to read, and permitted users could push new commits to it. On Sunday 28th of March 2021, this server received two malicious commits, that started the series of news and several actions to rectify the security and integrity of PHP's version controlling system.

It was two Git commits pretended to be from Rasmus Lerdorf, the PHP project founder, and Nikita Popov, one of the most prominent maintainers. Those two Git commits were not made by Rasmus or Nikita, but the Git commits carried their names as the author. It is trivial to modify the author's name of a Git commit, but writing to the Git server required authenticated access.

The attacker managed to place a backdoor, that would execute arbitrary PHP code contained in an User-Agentt header, possibly trying to make it easy to be overlooked because of the standard User-Agent header. The backdoor itself was not trying to be cleaver and hide the fact that it was indeed a backdoor. Two commits (1, 2) with commit messages "typo fix", but containing C code with eval is a surefire way to raise the eyebrows of anyone monitoring the commits.

Nikita and Levi Morrison quickly reverted the changes, and Nikita took immediate actions to shut down the presumably compromised Git server once hosted on git.php.net. He made the existing GitHub mirror the canonical repository, and configured so all PHP collaborators must have Two-Factor Authentication enabled for additional security.

There were no PHP releases that contained the backdoor. The two commits of mal-intent were reverted quickly, and were placed on the master branch of PHP, that will only be released at the end of the year.

---

Nikita recently emailed the PHP internals mailing list with some of his new findings and more information that were not previously disclosed.

Caused by likely vulnerabilities in master.php.net

master.php.net was used to manage users with PHP source repository, and perform various tasks, including authentication to the Git repository over HTTP Digest Authentication.

Nikita mentions that the PHP version and HTTPS configuration of master.php.net is the root cause, and the attacker might have accessed the user database.

master.php.net was using MD5, unsalted to hash user passwords, and with today's hardware and rainbow tables, it is trivial to find the original password from an MD5 digest.

Nikita also send some extracts from the web server logs that indicates the attacker successfully pushing commits to the PHP source repository:

[redacted] - rasmus [27/Mar/2021:20:56:51 -0700] "GET
/push/php-src.git/info/refs?service=git-receive-pack HTTP/1.1" 200 125315
[redacted] - rasmus [27/Mar/2021:20:58:13 -0700] "POST
/push/php-src.git/git-receive-pack HTTP/1.1" 200 1080

[redacted] - nikic [28/Mar/2021:09:13:28 -0700] "GET
/push/php-src.git/info/refs?service=git-receive-pack HTTP/1.1" 200 123263
[redacted] - nikic [28/Mar/2021:09:13:39 -0700] "POST
/push/php-src.git/git-receive-pack HTTP/1.1" 200 1079

(not including 10 other log entries that the attacker is returned with 401 responses on unsuccessful authentication attempts to prior to the successful ones)

---

Prior to the move to GitHub, git.php.net apparently supported HTTP Digest Authentication, which used MD5 digests. Further, svn.php.net server also used MD5. This made using MD5 for password hashing a reasonable choice. However, now that the PHP source is moved to GitHub, it is no longer necessary to use MD5 for any sort of authentication.

New main.php.net

There is a new main.php.net web access that runs updated code with several security pitfalls fixed. This includes password hashing algorithm changes from MD5 to Bcrypt and using parameterized SQL queries, to thwart SQL injection attacks.

New changes are still being worked on, and the code is available in php/web-master repository on GitHub.

SVN repositories for PECL extensions moved to GitHub

PHP source itself was moved to Git several years ago, but there were few PECL extensions that had activity on svn.php.net.

These PECL extensions are now moved to GitHub under github.com/php organization. The existing svn.php.net server is now read-only.

Incident summary

• Sun 28 Mar 2021: Attacker placed a backdoor commit on git.php.net over HTTPS, pretending to be Rasmus Lerdorf. Git server timestamp: 27/Mar/2021:20:58:13 -0700, Git Commit timestamp: Sun Mar 28 05:57:07 2021 +0200
• Sun 28 Mar 2021: Nikita reverted the commit. Git Commit timestamp: Sun Mar 28 11:16:39 2021 +0200
• Sun 28 Mar 2021: Attacker pushed another commit undoing Nikita's revert, bringing the backdoor back. Git server timestamp: 27/Mar/2021:20:58:13 -0700, Git Commit timestamp: Sun 28 Mar 2021 11:53:17 -0600
• Sun 28 Mar 2021: Levi Morrison reverted the last commit. Git Commit timestamp: Sun 28 Mar 2021 11:53:17 -0600
• Mon 29 Mar 2021: git.php.net made read-only.
• Mon 29 Mar 2021: Existing GitHub mirror is now the canonical repository.
• Mon 29 Mar 2021: Nikita emailed the PHP Internals mailing list with the new changes to Git workflow.
• Mon 29 Mar 2021: git.php.net server compromised, move to GitHub, and delayed updates on PHP.Watch.
• Tue 30 Mar 2021: Decision was made to pause PHP releases by two weeks.
• Tue, 06 Apr 2021: Updates to the php-master code that was running on master.php.net.
• Tue, 06 Apr 2021: All user passwords reset on master.php.net.
• Tue, 06 Apr 2021: svn.php.net made read-only.
• Tue, 06 Apr 2021: Few remaining PECL extensions moved to GitHub.
• Tue, 06 Apr 2021: Nikita emailed the PHP Internals mailing list with changes to master.php.net.