The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: PHP

A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks

A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks

April 29, 2021Ravie Lakshmanan
The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from  SonarSource , following which a hotfix was deployed less than 12 hours later. "Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders," Composer  said  its  release notes  for versions 2.0.13 and 1.10.22 published on Wednesday. "To the best of our knowledge the vulnerability has not been exploited." Composer  is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project. It also allows users to install PHP applications that are available on  Packagist , a repository that aggregates all public P
PHP Site's User Database Was Hacked In Recent Source Code Backdoor Attack

PHP Site's User Database Was Hacked In Recent Source Code Backdoor Attack

April 07, 2021Ravie Lakshmanan
The maintainers of the PHP programming language have issued an update regarding the security incident that came to light late last month, stating that the actors may have gotten hold of a user database containing their passwords to make unauthorized changes to the repository. "We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked," Nikita Popov  said  in a message posted on its mailing list on April 6. On March 28, unidentified actors used the names of Rasmus Lerdorf and Popov to  push malicious commits  to the "php-src" repository hosted on the git.php.net server that involved adding a backdoor to the PHP source code in an instance of a software supply chain attack. While this was initially treated as a compromise of the git.php.net server, further investigation into the incident has revealed that the commits were a result of pushing them using HTTPS and password-based authentica
PHP's Git Server Hacked to Insert Secret Backdoor to Its Source code

PHP's Git Server Hacked to Insert Secret Backdoor to Its Source code

March 28, 2021Ravie Lakshmanan
In yet another instance of a software supply chain attack, unidentified actors hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a secret backdoor into its source code. The two malicious commits were pushed to the self-hosted "php-src" repository hosted on the git.php.net server, illicitly using the names of Rasmus Lerdorf, the author of the programming language, and Nikita Popov, a software developer at Jetbrains. The changes are said to have been made yesterday on March 28. "We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account)," Popov  said  in an announcement. The changes, which were committed as " Fix Typo " in an attempt to slip through undetected as a typographical correction, involved provisions for execution of arbitrary PHP code. "This line executes PHP code fro
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.