PrimitiveType

Web Developer News

Slashdot.org News Recent news from Slashdot.org

Git.PHP.net Not Compromised in Supply Chain Attack, but User Database Leak Possible
 
Inside.com's developer newsletter reports: The PHP team no longer believes the git.php.net server was compromised in a recent attack, which prompted PHP to move servers to GitHub and caused the team to temporarily put releases on hold until mid-April... In an update offering further insight into the root cause of the late March attack, the team says because it's possible the master.php.net user database was exposed, master.php.net has been moved to main.php.net. The team also reset php.net passwords, and you can visit https://main.php.net/forgot.php to set a new password. In addition, git.php.net and svn.php.net are both read-only now. Two malicious commits were pushed to the php-src repo from PHP founder Rasmus Lerdorf and PHP core developer Nikita Popov, Popov announced March 28. After an investigation, the PHP team reassured users these malicious commits never reached end-users. However, the team decided to move to GitHub after determining maintaining its own git infrastructure is "an unnecessary security risk." "In 2019, the PHP team temporarily shut down its Git server after discovering that an attacker had maliciously replaced the official PHP Extension and Application Repository with a malicious one," reports CPO magazine. But this newer supply chain attack "targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized." The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP. The backdoor is triggered at the start of a request by checking if the request contains the word "zerodium." If this condition was met, PHP executes the code in the "User-Agentt" request header. The header closely resembles the PHP "User-Agent" request for checking for browser properties. The rest of the request would thus be treated as a command that could be executed on a PHP server using the server's privileges. This would allow the hackers to run any arbitrary command without the need for further privileges... PHP powers 80% of all websites. Thus, a successful supply chain attack exploiting the language could prove catastrophic.

Read more of this story at Slashdot.


Microsoft Previews Its Open Source Java Distribution, Microsoft Build of OpenJDK
 
Mark Wilson writes: Microsoft has launched a preview version of its own distribution of Java, making it available for Windows, macOS and Linux. The company has named the release Microsoft Build of OpenJDK, and describes it as its "new way to collaborate and contribute to the Java ecosystem". The company has made available Microsoft Build of OpenJDK binaries for Java 11, which are based on OpenJDK source code. Microsoft says it is looking to broaden and deepen its support for Java, "one of the most important programming languages used today".

Read more of this story at Slashdot.


Google Now Supports Rust for Underlying Android OS Development
 
For the past few years, Google has been encouraging developers to write Android apps with Kotlin. The underlying OS still uses C and C++, though Google today announced Android Open Source Project (AOSP) support for Rust. From a report: This is part of Google's work to address memory safety bugs in the operating system: "We invest a great deal of effort and resources into detecting, fixing, and mitigating this class of bugs, and these efforts are effective in preventing a large number of bugs from making it into Android releases. Yet in spite of these efforts, memory safety bugs continue to be a top contributor of stability issues, and consistently represent ~70% of Android's high severity security vulnerabilities." The company believes that memory-safe languages, like Rust, are the "most cost-effective means for preventing memory bugs" in the bootloader, fastboot, kernel, and other low-level parts of the OS. Unlike C and C++, where developers manage memory lifetime, Rust "provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership and runtime checks to ensure that memory accesses are valid." Google has been working to add this support to AOSP for the past 18 months. Performance is equivalent to the existing languages, while increasing the effectiveness of current sandboxing and reducing the overall need for it. This allows for "new features that are both safer and lighter on resources." Other improvements include data concurrency, a more expressive type system, and safer integer handling.

Read more of this story at Slashdot.


InternetNews.com News Recent news from InternetNews.com

IT Earnings Way Up at Job Site Elance
 
Google App Engine, HTML5, search engine optimization and social media marketing are among the fastest movers on Elance's list of hot job opportunities available online.

Say What? The Week's Top Five IT Quotes
 
Google Wave crashes, fighting to keep mainframe skills alive, beware the Outernet and more.

GPL Enforcement Notches Another Victory
 
The license at the heart of many open source projects is amassing a winning record when it comes to successfully pursuing enforcement lawsuits.