Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

User database was also hacked in the recent hack of PHP ‘s Git Server

The maintainers of the PHP programming language confirmed that threat actors may have compromised a user database containing their passwords. The maintainers of the PHP programming language have provided an update regarding the security breach that took place on March 28. Unknown attackers hacked the official Git server of the PHP programming language and pushed […]

PHP DB hacked

The maintainers of the PHP programming language confirmed that threat actors may have compromised a user database containing their passwords.

The maintainers of the PHP programming language have provided an update regarding the security breach that took place on March 28.

Unknown attackers hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a backdoor into the source code. On March 28, the attackers pushed two commits to the “php-src” repository hosted on the git.php.net server, they used the accounts of Rasmus Lerdorf, the PHP’s author, and Jetbrains developer Nikita Popov.

Below a summary provided by Nikita Popov on what has emerged during the investigation:

  • We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked.
  • master.php.net has been migrated to a new system main.php.net.
  • All php.net passwords have been reset. Go to https://main.php.net/forgot.php to set a new password.
  • git.php.net and svn.php.net are both read-only now, but will remain available for the time being.

Popov explained that further investigation into the incident revealed that the commits were also pushed via HTTPS and password-based authentication.

“Something I was not aware of at the time is that git.php.net (intentionally) supported pushing changes not only via SSH (using the gitolite infrastructure and public key cryptography), but also via HTTPS. The latter did not use gitolite, and instead used git-http-backend behind Apache2 Digest authentication against the master.php.net user database.” continues Popov. “I’m not sure why password-based authentication was supported in the first place, as it is much less secure than pubkey authentication. Based on access logs, we can determine that the commits were indeed pushed using HTTPS and password-based authentication. An excerpt of relevant log entries is shown below”

PHP DB hacked

Popov pointed out that the attackers only made only a few attempts to guess usernames, and one attempt was successful. At the time of this writing, it is not clear if the credentials of this specific user in the database of master.php.net has been leaked because apparently, the attackers had no reason to guess usernames once compromised the database.

The PHP maintainers also noticed that master.php.net system, which is used for authentication and various management tasks, was running very old code and was based on a very old operating system / PHP version.

Below a list of improvements implemented to secure this system:

  • master.php.net was migrated to a new system (running PHP 8) and renamed to main.php.net at the same time. Among other things, the new system supports TLS 1.2, which means you should no longer see TLS version warnings when accessing this site.
  • The implementation has been moved towards using parameterized queries, to be more confident that SQL injections cannot occur.
  • Passwords are now stored using bcrypt.
  • Existing passwords were reset (use main.php.net/forgot.php to generate a new one).

The maintainers have already migrated master.php.net to a new main.php.net system which provides support for TLS 1.2, they have also forced password reset and replaced the MD5 hashing function with the bcrypt a password-hashing function.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]