Watch out for PHP holes

Poorly written PHP sites make them the target of attacks

In the first half of 2006, desktop filtering software maker Websense counted a 100 percent rise in Web sites that contained code potentially harmful to visitors. The company declined to reveal how many Web sites it tallied, but it did say that 40 percent of the sites were hacked -- that is, they had their site code altered by outsiders. Of those hacked Web sites, the vast majority (91 percent) were commissioned to install Trojan horses that take control of visiting computers to turn them into bots -- to relay spam, wage denial-of-service attacks or carry out ID theft schemes -- or use them as bases for spreading malicious programs such as worms and keyloggers inside the enterprise.

Ben Butler, network abuse manager at, a Web site domain seller and hosting company, says he believes that as many as 50 percent to 60 percent of those successful hacks involve some form of poorly written Web application developed in an easy-to-use, popular hypertext development language called PHP.

"PHP is an extremely hacked application type because it allows server-side scripts to happen on a Web site. This script is communicating back to the server, and that pathway can be hacked," says Butler, who bases his opinion on the hundreds of investigations GoDaddy opens each week into hacked and abusive Web sites among its hosted domains.

By the end of last year, some 2,100 PHP-related vulnerabilities existed in IBM Internet Security Systems' database of 30,000 known vulnerabilities. Of all Web development languages, PHP is most widely used because of its ease, says Chris Shiflett, who runs the PHP Security Consortium (at and is the author of Essential PHP Security.

And with ease of use come vulnerabilities, says Bill Boni, corporate vice president of information security and protection at Motorola. Boni says that when you have lots of inexperienced people working with an easy-to-use Web development application, it leads to insecure code.

Boni adds that even experienced developers, under tight deadlines, can create Web applications that are vulnerable to common Web attacks.

Two examples: Last June, Circuit City had one of its Web pages turned into a spamware installer. The vulnerability was in a poorly written forms field developed in PHP. And, in October, IBM's popular Websphere application was found to have a cross-site scripting vulnerability, the same type of vulnerability used to propagate a worm on MySpace in October 2005.

Page Break

What to do

1. Web application filters are a good first step to protecting your Web applications from malicious tampering, but they don't catch everything. Bill Boni strongly recommends ongoing training in coding best practices for all Web developers regardless of the development language they use. "Code reviews, application-level security scanning and rigorous security testing against your Web applications are all essential," he adds.

2. Keep your browsers patched and updated, since the malicious code gets in through vulnerabilities in the browser, Chris Shiflett says. "If you can, get on a less used and less targeted browser, a really solid and mature browser like Opera, Safari or Firefox," he says.