Concern Over PHP Attacks Affecting Major Websites

Hackers are trying in earnest to exploit weaknesses in PHP, the server-side code platform used by 80 percent of the world’s websites, including Facebook and Wikipedia, researchers have warned.

Security company Imperva is particularly concerned about two vulnerabilities that can be used to execute code on servers running PHP. The flaws mean a PHP application can fail to stop variables being modified by external sources.

Attackers are widely abusing SuperGlobal variables, which are predefined and can be coded in PHP applications without the need for declaration as in local and global variables, to execute code remotely.

PHP coders warned

One flaw lets an attacker craft a malicious query string that overrides values within the _SESSION SuperGlobal variable. Another is present in PHP’s session serialisation mechanism, which represents complex structured objects in a textual format so they can be stored in files.

When an attacker combines those flaws, an attacker can execute arbitrary code on a server running PhpMyAdmin, a database management application.

“The attacker can combine the two separate vulnerabilities, the former letting the attacker inject a value into the session, and the latter allowing the attacker to create arbitrary string to inject a maliciously crafted PMA_config object into the serialised session,” Imperva said in its report.

The ultimate aim is to take over a server running the PhpMyAdmin software.

The company used its honeypots and community data to do some analysis on attacks, finding that in May 2013, 3,450 requests manipulated PHP SuperGlobal variables. These were generated by 27 different source IP addresses targeting 24 web applications

“Most of these attacks were not limited to attacks on SuperGlobal parameters, but were part of a larger attack campaign,” Imperva added. “SuperGlobal manipulation has become common practice and has already been integrated into security and hacking tool routines.

“Based on the captured malicious traffic, we were able to trace its origin and find the specific exploit code used to generate it in a hackers’ forum on the web.”

If the code is doing the rounds on the dark web, businesses running PHP on their machines should be concerned and look for fixes.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

6 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

9 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

11 hours ago