Concern Over PHP Attacks Affecting Major Websites

Hackers are trying in earnest to exploit weaknesses in PHP, the server-side code platform used by 80 percent of the world’s websites, including Facebook and Wikipedia, researchers have warned.

Security company Imperva is particularly concerned about two vulnerabilities that can be used to execute code on servers running PHP. The flaws mean a PHP application can fail to stop variables being modified by external sources.

Attackers are widely abusing SuperGlobal variables, which are predefined and can be coded in PHP applications without the need for declaration as in local and global variables, to execute code remotely.

PHP coders warned

One flaw lets an attacker craft a malicious query string that overrides values within the _SESSION SuperGlobal variable. Another is present in PHP’s session serialisation mechanism, which represents complex structured objects in a textual format so they can be stored in files.

When an attacker combines those flaws, an attacker can execute arbitrary code on a server running PhpMyAdmin, a database management application.

“The attacker can combine the two separate vulnerabilities, the former letting the attacker inject a value into the session, and the latter allowing the attacker to create arbitrary string to inject a maliciously crafted PMA_config object into the serialised session,” Imperva said in its report.

The ultimate aim is to take over a server running the PhpMyAdmin software.

The company used its honeypots and community data to do some analysis on attacks, finding that in May 2013, 3,450 requests manipulated PHP SuperGlobal variables. These were generated by 27 different source IP addresses targeting 24 web applications

“Most of these attacks were not limited to attacks on SuperGlobal parameters, but were part of a larger attack campaign,” Imperva added. “SuperGlobal manipulation has become common practice and has already been integrated into security and hacking tool routines.

“Based on the captured malicious traffic, we were able to trace its origin and find the specific exploit code used to generate it in a hackers’ forum on the web.”

If the code is doing the rounds on the dark web, businesses running PHP on their machines should be concerned and look for fixes.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago