Yesterday it was published that the official PHP Git repository was hacked and a RCE Backdoor was committed into the PHP base code.
PHP is one of the popular server-side programming languages to power over 79% of the websites on the Internet, thus making this vulnerability a very critical one.
More information on the disclosed vulnerability can be found here:
https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/
Vulnerability Description:
The official PHP Git repository was hacked and a RCE Backdoor was committed into the PHP base code.
Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.
Below are manual mitigation steps to address this vulnerability (for On-Prem customers):
- Create a new manual dictionary or use an existing one
- Create a new signature (inside the dictionary from the previous step) with the following definition:
PHP Git Server Backdoor - Zerodium
part="User-Agent", part="zerodium"
- Protocols:
http
https
- Search Signature in:
Headers
3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it
#CloudWAF(formerlyIncapsula)#On-PremisesWAF(formerlySecuresphere)