Watch out for PHP holes

Poorly written PHP sites make them the target of attacks

In the first half of 2006, desktop filtering software maker Websense counted a 100 percent rise in Web sites that contained code potentially harmful to visitors. The company declined to reveal how many Web sites it tallied, but it did say that 40 percent of the sites were hacked -- that is, they had their site code altered by outsiders. Of those hacked Web sites, the vast majority (91 percent) were commissioned to install Trojan horses that take control of visiting computers to turn them into bots -- to relay spam, wage denial-of-service attacks or carry out ID theft schemes -- or use them as bases for spreading malicious programs such as worms and keyloggers inside the enterprise.

Ben Butler, network abuse manager at, a Web site domain seller and hosting company, says he believes that as many as 50 percent to 60 percent of those successful hacks involve some form of poorly written Web application developed in an easy-to-use, popular hypertext development language called PHP.

"PHP is an extremely hacked application type because it allows server-side scripts to happen on a Web site. This script is communicating back to the server, and that pathway can be hacked," says Butler, who bases his opinion on the hundreds of investigations GoDaddy opens each week into hacked and abusive Web sites among its hosted domains.

By the end of last year, some 2,100 PHP-related vulnerabilities existed in IBM Internet Security Systems' database of 30,000 known vulnerabilities. Of all Web development languages, PHP is most widely used because of its ease, says Chris Shiflett, who runs the PHP Security Consortium (at and is the author of Essential PHP Security.

And with ease of use come vulnerabilities, says Bill Boni, corporate vice president of information security and protection at Motorola. Boni says that when you have lots of inexperienced people working with an easy-to-use Web development application, it leads to insecure code.

Boni adds that even experienced developers, under tight deadlines, can create Web applications that are vulnerable to common Web attacks.

Two examples: Last June, Circuit City had one of its Web pages turned into a spamware installer. The vulnerability was in a poorly written forms field developed in PHP. And, in October, IBM's popular Websphere application was found to have a cross-site scripting vulnerability, the same type of vulnerability used to propagate a worm on MySpace in October 2005.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about BillCircuit CityHISIBM AustraliaInternet Security SystemsMotorolaSecurity SystemsWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Deb Radcliff

Latest Videos

More videos

Blog Posts