PHP maintainer Nikita Popov has posted an update concerning how the source code was compromised and malicious code inserted – blaming a user database leak rather than a problem with the server itself.
The PHP code repository was compromised late last month with the insertion of code that, if left in place, would have enabled a backdoor into any web server running it. The code was initially committed in the name of Rasmus Lerdorf, creator of PHP, and after it was removed, recommitted under Popov's name.
The team originally believed that the server hosting the repository had suffered a break-in, but in a new post Popov said: "We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked."
Password encryption has been upgraded to use bcrypt, which is not compatible with Apache's HTTP Digest authentication
The server in question uses gitolite to enable git hosting, and Popov had observed that "these two commits bypassed the gitolite infrastructure entirely," leading him to suspect a server compromise. This influenced the decision to promote the PHP repository on GitHub to become the primary one since it would take time to diagnose the vulnerability and set up a new server.
Later, though, Popov discovered the repository also supported changes made via HTTPS, using the "git-http-backend behind Apache2 Digest authentication against the master.php.net user database" – something he had not previously been aware of. "I'm not sure why password-based authentication was supported in the first place, as it is much less secu ..