Attackers managed to implement a backdoor in PHP’s official Git repo. Two commits were made on Sunday 28th March 2021 which were apparent “minor adjustments”, however, enabled the ability to preform remote code execution on any server running PHP. This was shortly discovered by PHP users.
Nikita Popov issued a statement, claiming “We don’t yet know how
exactly this happened, but everything points towards a compromise of the
git.php.net server”, rather than an individual Git account.
The commit was supposedly done on behalf of two main programmers for PHP, Rasmus Lerdorf and Nikita Popov.
Since the exploit did not enter a production release, there is very little chance that websites have actually been affected. It has been clarified that this is a commit that has not entered the release cycle.
According to the PHP team, the existing Git server is no longer secure. Therefore, as a precaution, all source code has been moved to Github. The developers stress that every developer should use two-step verification. The repos were already seen as read-only, but after the incident they also became canonical, according to developer Popov.
It seems that the exploit could only be ran if a particular HTTP header contained a specific string, “zerodium”. Zerodium is a well-known company that pays money for purchasing exploits. It is not clear if there is really a link to Zerodium, but it seems more likely that this is, for example, a security researcher who uses the company name to stand out.
The commit was since reverted.