The PHP Group will no longer use the Karma system. The change means that GitHub is now the “canonical” repository. Now, the PHP Group is abandoning the self-hosted and managed git infrastructure and replacing it with GitHub. GitHub, meanwhile, had been a mirror repository. It provided developers different levels of access privileges depending on previous contributions.
Prior to the compromise, The PHP Group handled all write access to the repository on their own git server using what Popov called a “home-grown” system called Karma. Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun 😃- Chaouki Bekrar MaBad karma Obviously, we have nothing to do with this. It purported to revert the previous typo fix.Ĭheers to the troll who put "Zerodium" in today's PHP git compromised commits. Shortly after the first discovery, Voříšek spotted the second malicious commit, which was made under Popov’s account name. The update, which purported to fix a typo, was made under an account that used Lerdorf’s name. The malicious changes came to public attention no later than Sunday night by developers including Markus Staab, Jake Birchallf, and Michael Voříšek as they scrutinized a commit made on Saturday.
#HACK LITESPEED WEB SERVER CODE#
Going forward, all PHP source code changes will be made directly to GitHub rather than to. As a result, they will discontinue the server and make GitHub the official source for PHP repositories. In the aftermath of the compromise, Popov said that PHP maintainers have concluded that their standalone Git infrastructure is an unnecessary security risk. “We don't yet know how exactly this happened, but everything points toward a compromise of the server (rather than a compromise of an individual git account),” Popov wrote in a notice published on Sunday night. The commits were made to the php-src repo under the account names of two well-known PHP developers, Rasmus Lerdorf and Nikita Popov.
The malicious commits here and here gave the code the code-injection capability to visitors who had the word “zerodium” in an HTTP header. Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice. A hacker compromised the server used to distribute the PHP programming language and added a backdoor to source code that would have made websites vulnerable to complete takeover, members of the open source project said.
0 kommentar(er)
