Mhedzisiro yekutanga yekuongororwa kwechiitiko chine chekuita nekuzivikanwa kwezviito zviviri zvakaipa muGit repository yePHP purojekiti ine backdoor yakabatidzwa kana uchitumira chikumbiro neyakagadzirirwa yakagadzirirwa Mushandisi musoro wakabudiswa. Mukati mekudzidza zvakatevedzwa zvezviitwa zvevapambi, zvakagumiswa kuti git.php.net server pachayo, paive negit repository, haina kubiwa, asi dhatabhesi ine maakaundi evagadziri veprojekiti yakakanganiswa. .
Zvinogoneka kuti vapambi vakakwanisa kudhawunirodha dhatabhesi yevashandisi yakachengetwa muDBMS pane master.php.net server. Zviri mukati master.php.net zvakatotamiswa kuenda kune itsva main.php.net server yakaiswa kubva pakutanga. Ese mapassword ekuvandudza anoshandiswa kuwana iyo php.net zvivakwa akaiswa patsva uye maitiro ekuashandura akatangwa kuburikidza nerakakosha fomu rekudzoreredza password. Iyo git.php.net uye svn.php.net repositories inoramba ichiverengwa-chete (budiriro yakaendeswa kuGitHub).
Mushure mekuwanikwa kwekutanga kwakashata kuzvipira kwakaitwa kuburikidza neakaundi yaRasmus Lerdorf, muvambi wePHP, zvaifungidzirwa kuti account yake yakanga yabiwa uye Nikita Popov, mumwe wevakakosha vanogadzira PHP, akadzosera kumashure shanduko uye akavharira kodzero dzekuita. iyo dambudziko account. Mushure menguva yakati, kuziva kwakauya kuti kuvharika kwacho hakuna musoro, sezvo pasina kusimbiswa kwezvibvumirano uchishandisa siginecha yedhijitari, chero mutori wechikamu ane mukana weiyo php-src repository anogona kuita shanduko nekutsiva zita remunyori.
Zvadaro, vapambi vakatumira chibvumirano chakashata panzvimbo yaNikita pachake. Nekuongorora matanda ebasa regitolite, rinoshandiswa kuronga kupinda kune repositories, kuedza kwakaitwa kuona kuti ndiani aita shanduko. Kunyangwe kusanganisirwa kwekuverengera kwese kuita, pakanga pasina mapindiro mulogi kune maviri akashata shanduko. Zvakava pachena kuti paive nekukanganisika kwezvivakwa, sezvo maitirwo akawedzerwa zvakananga, achipfuura kubatana kuburikidza negitolite.
Iyo git.php.net sevha yakavharwa nekukasika, uye yekutanga repository yakaendeswa kuGitHub. Nekuchimbidza, zvakakanganwika kuti kuwana repository, kuwedzera kune SSH uchishandisa gitolite, pakanga paine imwe yekuisa iyo yakakubvumidza kuti utumire anoita kuburikidza neHTTPS. Muchiitiko ichi, iyo git-http-backend yakashandiswa kudyidzana neGit, uye chokwadi chakaitwa pachishandiswa Apache2 HTTP server, iyo yakasimbisa zvitupa nekuwana dhatabhesi inogarwa muDBMS pane master.php.net server. Kupinda kwakabvumirwa kwete chete nemakiyi, asiwo nepassword yenguva dzose. Ongororo ye http server logs yakasimbisa kuti shanduko yakaipa yakawedzerwa kuburikidza neHTTPS.
Paunenge uchidzidza matanda, zvakaratidzwa kuti vatambudzi havana kubatanidza nguva yekutanga, asi pakutanga vakaedza kutsvaga zita reakaunti, asi mushure mekuriziva, vakapinda mukuedza kwekutanga, i.e. vaiziva mapassword aRasmus naNikita pachine nguva, asi vaisaziva mazita avo. Kana vapanduki vakakwanisa kuwana mukana weDBMS, hazvizivikanwe kuti sei vasina kushandisa nekukurumidza login chaiyo yakataurwa ipapo. Kusiyana uku hakusati kwawana tsananguro yakavimbika. The hack of master.php.net inoonekwa seyakanyanya kuitika, sezvo sevha iyi yaishandisa kodhi yekare kwazvo uye OS yechinyakare, iyo yanga isati yavandudzwa kwenguva yakareba uye yaive isina kugadziriswa.
Zviito zvakatorwa zvaisanganisira kudzoreredzwa kweiyo master.php.net server environment uye kuendeswa kwezvinyorwa kushanduro itsva yePHP 8. Kodhi yekushanda neDBMS yakagadziridzwa kuti ishandise mibvunzo yeparameterized, iyo inoomesa kutsiva kweSQL code. Iyo bcrypt algorithm inoshandiswa kuchengetedza password hashes mudhatabhesi (kare, mapassword aichengetwa uchishandisa isingavimbike MD5 hash). Mapassword aripo anoiswa patsva uye unokurudzirwa kuseta password nyowani kuburikidza nefomu rekudzoreredza password. Sezvo kuwana git.php.net uye svn.php.net repositories kuburikidza neHTTPS yakasungirirwa kune MD5 hashes, zvakasarudzwa kusiya git.php.net uye svn.php.net mukuverenga-chete mode, uyewo kufambisa zvose vakasara kwavari PECL yekuwedzera repositori paGitHub, yakafanana neiyo huru PHP repository.
Source: opennet.ru