devquotes,

The news, coming initially from VUPEN from what I can see, is spreading that PHP.NET has been hacked. PHP sources released on the website seems to have been backdoored, or at least modified.

Some Chinese website is providing screenshots of both the attack and the source alteration. The 2nd one seems legit, while the first one clearly as no impact on PHP’s security:

PHP.NET compromise: credits.c diff

PHP.NET compromise: PHPHC shell

If the screenshots are real then the source files alterations were benign: they only affect the credits of the application located at src/trunk/ext/standard/credits.c on the PHP’s repository. I didn’t check yet if more files were affected.

There is no information yet on how the hack was achieved, even if the second screenshot clearly shows some kind of Web vulnerability exploitation: a HTTP headers based shell able to execute commands with the rights of the Debian webserver’s Unix user account www-data.

UPDATE: well, after double-checking the PHP’s SVN logs, I found this: http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/credits.c?r1=306409&r2=306411. Nothing really exciting here: the strange patch to credits.c was reverted a few days after is was commited.

So what? Well I guess VUPEN are right: PHP.NET was compromised at some point, or the Wiki wouldn’t be down. Also, the 2nd screenshot doesn’t provide enough information to ensure is credibility.

Let’s wait for more informations from VUPEN which seems to be the only reliable source. The main question here: is the issue fixed? Do we need to rush the PHP 5.3.6 update?

The exploit is most likely functional (ie. « inside the wiki’s PHP code », as opposed to « inside the PHP interpreter’s C code »), and not just a low level implementation error: the wiki.php.net’s server is running a GNU/Linux kernel patched with GRSecurity by the OVH staff (a French hosting company). This specific kernel patch is making exploitation of low level vulnerabilities pretty much a living hell for hackers: ASLR, DEP, NX, etc. are the main keywords here. I really hope to get more informations soon about that particular exploit.

Let’s hope the PHP.NET team communicates as soon as possible regarding the exploited vulnerability & the risk level for the thousands PHP installations out there. I’ll try and keep this news up to date.

If anyone has more informations about this subject, please post ‘em here!

Confirmed !

In an official security notice released yesterday in the evening:
Php team confirmed rumor and explain a little bit :

The wiki.php.net box was compromised and the attackers were able to collect wiki account credentials. No other machines in the php.net infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts.
We are still investigating the details of the attack which combined a vulnerability in the Wiki software with a Linux root exploit.

We’re still looking for any news and details about the attack.