Concern Over PHP Attacks Affecting Major Websites

Hackers are trying in earnest to exploit weaknesses in PHP, the server-side code platform used by 80 percent of the world’s websites, including Facebook and Wikipedia, researchers have warned.

Security company Imperva is particularly concerned about two vulnerabilities that can be used to execute code on servers running PHP. The flaws mean a PHP application can fail to stop variables being modified by external sources.

Attackers are widely abusing SuperGlobal variables, which are predefined and can be coded in PHP applications without the need for declaration as in local and global variables, to execute code remotely.

PHP coders warned

One flaw lets an attacker craft a malicious query string that overrides values within the _SESSION SuperGlobal variable. Another is present in PHP’s session serialisation mechanism, which represents complex structured objects in a textual format so they can be stored in files.

When an attacker combines those flaws, an attacker can execute arbitrary code on a server running PhpMyAdmin, a database management application.

“The attacker can combine the two separate vulnerabilities, the former letting the attacker inject a value into the session, and the latter allowing the attacker to create arbitrary string to inject a maliciously crafted PMA_config object into the serialised session,” Imperva said in its report.

The ultimate aim is to take over a server running the PhpMyAdmin software.

The company used its honeypots and community data to do some analysis on attacks, finding that in May 2013, 3,450 requests manipulated PHP SuperGlobal variables. These were generated by 27 different source IP addresses targeting 24 web applications

“Most of these attacks were not limited to attacks on SuperGlobal parameters, but were part of a larger attack campaign,” Imperva added. “SuperGlobal manipulation has become common practice and has already been integrated into security and hacking tool routines.

“Based on the captured malicious traffic, we were able to trace its origin and find the specific exploit code used to generate it in a hackers’ forum on the web.”

If the code is doing the rounds on the dark web, businesses running PHP on their machines should be concerned and look for fixes.

What do you know about Internet security? Find out with our quiz!