32.Lock Code Circular

This weekend’s PHP hack serves as the latest reminder of the importance of server security-and the need to do better.

Just two days ago (Sunday, March 28), hackers were able to breach the internal Git repository of the immensely popular PHP programming language used by almost 80% of all websites on the Internet, and have added a backdoor to the PHP source code. According to a message that the PHP team posted on its mailing list late Sunday night, the malicious code was added to the PHP source code through the accounts of two core PHP team members, Rasmus Lerdorf and Nikita Popov, neither of whom were involved. Popov stated in this message: “We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server.”

Luckily, the backdoor mechanism was first spotted by Michael Voříšek, a Czech-based software engineer, before it made it into production. As a result of this security breach, the PHP team made the collective decision on Monday, March 29, to move source code management operations from its internal Git server to its official GitHub account, which will be PHP’s official Git repository going forward.

Although we are pleased that this backdoor was mitigated before it made it into production, the incident highlights the need for stronger PHP security through the implementation of preventative server security measures and secure server administration. Had this backdoor made it into production, the malicious code would have allowed threat actors to execute their own malicious PHP commands on victims’ servers. On a broader scale, the majority of attacks on PHP servers can be attributed to misconfigurations and poor server administration. In another notable security incident that occurred less than three years ago which has yet to be explained today, hackers compromised the official website of the PHP PEAR extensions system and hosted a backdoored version of the PHP PEAR package manager for nearly six months. 

This string of PHP hacks should serve as a collective call to action for the open-source community to hold open-source projects accountable for the security of their source code and their servers to prevent future vulnerabilities and hacks. And it is not only core team members who are responsible. Users should be contributing to the security of the projects they benefit from, whether it be by reviewing source code, making a donation or helping others get involved. The security of open-source projects is highly dependent upon community involvement, and regardless of your education, experience or skill set, there is something you can do to contribute to the security of Open Source. Right now, attackers are running the show. It’s time to come together as a community and level up!

What are your thoughts on this weekend’s hack? Need guidance on how you can get involved in improving PHP security? Let’s chat!

Connect with us on social media:

Twitter | Facebook