
PHP.net breach: Concern over safety of source code - taylorbuley
http://www.theregister.co.uk/2011/03/21/php_server_hacked/
======
nbpoole
Does anybody know what version of DokuWiki was being run? I'd be interested to
know whether this was a 0-day exploit (and if so when DokuWiki will be
patched).

~~~
splitbrain
DokuWiki lead developer here. I've contacted the PHP guys but haven't heard
back, yet. We have no details of the breach so far. The Google cache of the
page indicates that it was an outdated DokuWiki version, but we simply don't
know.

There are no known vulnerabilities in current DokuWiki. As soon as we learn
about the nature of the problem we will release a security update if needed.

~~~
nbpoole
Thanks for the followup :-)

Edit: For anyone else who's curious, here's what I'm seeing from the Google
cache:

    
    
        <meta name="generator" content="DokuWiki Release 2008-05-05" />
    

There appear to have been three major releases of DokuWiki since then, so the
vector could have been a previously fixed vulnerability.

------
xd
Not sure why it took days to find any malicious code modifications. Would have
thought it would be pretty easy to find any malicious changes to any source
code, be it tar balled or under source control. But then tar balls will have
md5sums which are easy enough to check .. but I guess it's pretty easy to
tamper with the source control logs ..

~~~
nbpoole
Edit: The linked article talks about people spending the past few days
reviewing for code modifications. Based on other sources (VUPEN Twitter,
PHP.net), it appears to have only taken a day or so. It has been several days
since Friday though ;)

\---

Original (too harsh) reply below, for history's sake:

Who said it took days? The wiki was down on taken Friday, that note was put up
on Saturday. And they manually reviewed all revisions in case the credentials
leak on the wiki box led to SVN access. It seems like a perfectly reasonable
response to me.

~~~
xd
" _Maintainers of the PHP programming language spent the past few days
scouring their source code for malicious modifications after discovering the
security of one of their servers had been breached._ "

First paragraph of the linked article.

~~~
nbpoole
Friday:

"We are aware of a possible compromise of PHP.NET server(s) and a potential
PHP source backdoor. "wiki.php.net" was taken offline" |
<https://twitter.com/#!/VUPEN/status/48696644975337472>

Saturday:

"php.net security notice" | <http://www.php.net/archive/2011.php>

The article backs up this timeline as well ("The site has been down since at
least Friday"). Which do you trust more, the article with the linkbait title
or actual facts? ;-)

~~~
xd
Yes, great points. I read the article linked to from the OP and didn't take
the time to look elsewhere. I don't generally have time to crawl the web
looking for the "facts" for every news story I read and have faith that a
story being voted up on HN is based on a reliable source / article.

I'm lost to why you felt it necessary to bait me with: "Who said it took
days?", you could have just replied with the better sources you have just
brought to my attention.

~~~
nbpoole
I'm sorry. I wasn't attempting to bait you: I've been following this story
since Friday, so I only skimmed this article the first time through. When I
originally replied to you, I didn't know why you thought it took days. But
you're right, my tone was much too harsh: my apologies.

~~~
xd
No worries :)

