Inside.com's developer newsletter reports: The PHP team no longer believes the git.php.net server was compromised in a recent attack, which prompted PHP to move servers to GitHub and caused the team to temporarily put releases on hold until mid-April... In an update offering further insight into the root cause of the late March attack, the team says because it's possible the master.php.net user database was exposed, master.php.net has been moved to main.php.net. The team also reset php.net passwords, and you can visit https://main.php.net/forgot.php to set a new password. In addition, git.php.net and svn.php.net are both read-only now. Two malicious commits were pushed to the php-src repo from PHP founder Rasmus Lerdorf and PHP core developer Nikita Popov, Popov announced March 28. After an investigation, the PHP team reassured users these malicious commits never reached end-users. However, the team decided to move to GitHub after determining maintaining its own git infrastructure is "an unnecessary security risk." "In 2019, the PHP team temporarily shut down its Git server after discovering that an attacker had maliciously replaced the official PHP Extension and Application Repository with a malicious one," reports CPO magazine. But this newer supply chain attack "targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized." The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP. The backdoor is triggered at the start of a request by checking if the request contains the word "zerodium." If this condition was met, PHP executes the code in the "User-Agentt" request header. The header closely resembles the PHP "User-Agent" request for checking for browser properties. The rest of the request would thus be treated as a command that could be executed on a PHP server using the server's privileges. This would allow the hackers to run any arbitrary command without the need for further privileges... PHP powers 80% of all websites. Thus, a successful supply chain attack exploiting the language could prove catastrophic.

Read more of this story at Slashdot.

dotancohen writes: Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src Git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. "The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet," adds BleepingComputer. "In the malicious commits [1, 2] the attackers published a mysterious change upstream, 'fix typo' under the pretense this was a minor typographical correction. However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP." According to Popov, the first commit was detected a couple hours after it was made, and the changes were reverted right away. "Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual's Git account," reports BleepingComputer. "As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub."

Read more of this story at Slashdot.

"PHP version 8.0 has arrived, bringing with it a major update to the 25-year-old programming language..." writes Tech Republic. New language features include the nullsafe operator and attributes (commonly known as annotations in other languages) to add metadata to classes — and more: The JIT compiler is designed to bring performance improvements to web applications by turning code into instructions for the CPU at runtime. Meanwhile, union types is a feature that allows data of more than one type to be held by a variable. Named arguments allow developers to assign values to a function by specifying the value name, allowing optional parameters to be ignored. Alongside these, version 8.0 of PHP brings optimizations and enhancements to the language's type system, syntax, error handling and consistency.... Commenting on PHP 8.0, PHP programmer and stitcher.io developer, Brent Roose, noted that the latest version of the language may require developers to review code for any breaking changes.

Read more of this story at Slashdot.