Most websites could be targeted through PHP, warns Imperva

Hackers are focusing on vulnerabilities in PHP web application development platform, threatening most websites, warns Imperva

Hackers are focusing on vulnerabilities in the PHP web application development platform threatening most websites, warns the latest hacker intelligence report from security firm Imperva.

This practice is in line with the well-established trend of hackers aiming at commonly used third-party components to get the best return on investment.

PHP is an alternative to Microsoft's Active Server Page (ASP) technology and is used mainly on Linux web servers.

“Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire web,” said Amichai Shulman, CTO at Imperva.

“The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80% of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue.”

Return on investment

According to the report, hackers are increasingly capable of packaging higher levels of sophistication into simpler scripts. PHP SuperGlobals are a prime target that yields a high return on investment.

PHP SuperGlobals are several predefined variables in PHP available in all scopes throughout a script.

The PHP SuperGlobal parameters are gaining popularity in the hacking community because they incorporate multiple security problems into an advanced web threat. This can be used to break application logic, compromise servers and result in fraudulent transactions and data theft, researchers said.

Read more about web application security

  • Using free Web application security scanning tools to secure Web apps
  • An introduction to Web application threat modeling
  • Web application testing: Three lessons
  • Why securing internal applications is as important as Web-facing apps
  • Slideshow: Five common Web application vulnerabilities and mitigations
  • Web-based application testing versus desktop application testing
  • Five common Web application vulnerabilities and how to avoid them

They note that PHP applications do not protect against the modification of variables from external sources, such as query parameters or cookies.

According to the report, the researchers have seen attackers abusing SuperGlobal variables for the purpose of remote code execution, remote file inclusion and security filter evasions attacks.

In one month, Imperva’s research team noted an average of 144 attacks per sample application that contained attack vectors related to SuperGlobal parameters.

These attacks appeared in the form of request burst floods, with peaks of between 20 and 90 hits per minute on an application, with some attacks lasting more than five months.

Researchers said SuperGlobal variable manipulation is becoming popular and that some of the biggest vulnerability scanners are specifically looking for this vulnerable vector.

Researchers found a vulnerability in the popular PhpMyAdmin (PMA) utility used to manage MySQL databases in PHP environments.

Security researchers' recommendations

They said that, because it is often bundled with other applications using the popular MySQL database, having this vulnerable utility present on the server – even if it is not being used by the administrator – exposes the server to code execution attacks and, as a consequence, to full server takeover.

The report therefore recommends an “opt out” security model.

The report concludes that only a positive security mechanism that specifies the allowed parameter names for each resource can prevent an attacker from taking advantage of the external variable manipulation weakness, which gives anyone the ability to send out external parameters with the same name of internal variables, and thus override their values.

Researchers recommend that SuperGlobal parameters in requests should be blocked as there is no reason for them to be present.

Finally, the report notes that, although the PHP method is a powerful way of carrying out attacks on targets, the method has pitfalls.

According to the researchers, an application security system that can detect and mitigate a single stage of the attack can render the entire attack useless.

Read more on Web application security