Poor design fosters hacker attacks of websites running PHP

Faulty design in a popular web application programming language is opening up websites across the Internet to hacker attacks, a data security firm reported this week.

Security problems are arising from the way the language, PHP, handles certain kinds of variables in its code, according to the report prepared by researchers at Imperva.

"The PHP platform is by far the most popular web application development platform, powering over eighty percent of all websites, including top sites such as Facebook, Baidu, and Wikipedia," the reportÃ'Â (PDF)Ã'Â explained. "As a result, PHP vulnerabilities deserve special attention."

"In fact," the report added, "exploits against PHP applications can affect the general security and health status of the entire web, since compromised hosts can be used as botnet slaves, further attacking other servers."

Imperva was critical of the way the application programming language defines by default certain "super global" variables and allows external programs, such as cookies, to manipulate them. Hacker attacks exploiting super globals are gaining in popularity with hackers, the report noted.

"[Hackers] incorporate multiple security problems into an advanced Web threat that can break application logic, compromise servers, and may result in fraudulent transactions and data theft," Imperva's researchers reported.

The addition of super global variables to PHP is a relatively new addition to the language. It makes cooking code easier because it removes the necessity of defining some common variables each time an app is created, but the security implications of the practice may not have been thoroughly thought out.

"Technically, PHP isn't broken," NSS Research Director Chris Morales said in an interview. "It's performing as designed. It's just not a good design."

"I totally agree with Imperva," he said. "Why is PHP written in such a way that they allow an external component to execute a super global variable. From a coding perspective, there's no reason to ever to do that. Their implementation is poor."

Since PHP is an open source program, there's always some question as to whether its openness is contributing to its security problems. "I don't think that's the issue here," said Tal Be'ery, Web security research team leader at Imperva.

"If PHP had been closed sourced, it wouldn't have been more secure," Be'ery said in an interview. "There are some architectural decisions taken by the PHP implementers that makes it easier to use for the programmer but makes the software less secure."

[Also see: Hundreds of DreamHost websites abused by spammers]

PHP has been in the sights of hackers for years. At the end of 2006 alone, there were 2,100 PHP flawsÃ'Â listed in the ISS database of vulnerabilities to tempt net baddies. And through the years, web malcontents have used rogue PHP pages to redirect users to work-at-home scamsÃ'Â and CGI vulnerabilities in the language to execute code remotely.

From Windows to WordPress, large platforms in general attract hacker attention so it shouldn't surprise that PHP has done so, too. "PHP's footprint is pretty large, which makes it juicier as a target," Mat Gangwer, an information security analyst with Rook Consulting, said in an interview.

What makes large platforms especially attractive is that they can give hackers the most bang for their buck. "When they come up with an exploit or attack on one site it can be traversed across multiple sites so it doesn't have to be a single targeted attack," Gangwer said.

"In a lot of ways, PHP is a victim of its own success," said Daniel Peck, a research scientist with Barracuda Networks.

Peck explained hosting sites rapidly adopted the language because it was easy to use, it worked and it was free. That kind of haphazard growth created growing pains for the language -- including security aches.

"The documentation and example code has a lot of poor and insecure practices in it so if you search on how to solve your problem in PHP, you'll come up with an insecure solution," Peck said in an interview.

Even if a programmer wants to mind his security P's and Q's, they can find it challenging. "It also has some features that make it difficult to program securely," Peck noted. "It can be done, but you need to put a significant amount of effort into it."

PHP is also plagued with another affliction of mega Web platforms. "Content systems deployed in an open source fashion are easy to deploy and administer, but often the resources aren't there to keep up with the patch frequencies and the vulnerabilities associated with them," JD Sherry, vice president of Technology and Solutions for Trend Micro told CSOonline.

"When you couple the problem with super global variables with unpatched systems, you've got a perfect storm for an attacker," Sherry said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersapplicationsphplegalsoftwareweb programmingdata protectionwikipediacybercrimeFacebookcode designData Protection | Malware

More about Barracuda NetworksCGIFacebookImpervaISS GroupTechnologyTrend Micro AustraliaWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place