Blog Viewer

Manual Mitigation for recently published PHP Git Repository Hack

By Patrick Mccrudden(csp) posted 03-30-2021 05:04

  

Yesterday it was published that the official PHP Git repository was hacked and a RCE Backdoor was committed into the PHP base code.

PHP is one of the popular server-side programming languages to power over 79% of the websites on the Internet, thus making this vulnerability a very critical one.

More information on the disclosed vulnerability can be found here:

https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/

 

Vulnerability Description:

The official PHP Git repository was hacked and a RCE Backdoor was committed into the PHP base code.

 

Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.

 

Below are manual mitigation steps to address this vulnerability (for On-Prem customers):

 

  1. Create a new manual dictionary or use an existing one
  2. Create a new signature (inside the dictionary from the previous step) with the following definition:

 

  • Signature name:

PHP Git Server Backdoor - Zerodium

  • Signature pattern:

part="User-Agent", part="zerodium"

  • Protocols:
    http
    https
  • Search Signature in:

Headers

 

 

     3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it
#CloudWAF(formerlyIncapsula)
#On-PremisesWAF(formerlySecuresphere)
0 comments
310 views

Permalink