Update on PHP source code compromise: User database leak suspected

2021-04-07 14:38

PHP maintainer Nikita Popov has posted an update concerning how the source code was compromised and malicious code inserted - blaming a user database leak rather than a problem with the server itself.

The PHP code repository was compromised late last month with the insertion of code that, if left in place, would have enabled a backdoor into any web server running it.

This user database was part of "Very old code on a very old operating system/PHP version," said Popov, who added that a vulnerability "Would not be terribly surprising."

The actions now taken include resetting all passwords, and amending the code to use parameterised queries, to protect against SQL injection attacks.

The use of parameterised queries has been recommended best practice for many years, and the fact that code which does not do this has been running at the heart of the PHP source code infrastructure for so long demonstrates how insecure legacy code can linger for long periods in an organisation if it works and does not cause any obvious issues.

Popov said that a "Small handful" of PECL extensions were still using an older source code management system called Subversion, with code hosted at svn.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/07/update_on_php_source_code/

#compromise #database #leak #PHP #sourcecode

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
PHP		21	25	309	219	84	637