The PHP platform is by far the most popular web application development platform, powering over 80% of all websites, including top sites such as Facebook, Baidu, and Wikipedia. As a result, PHP vulnerabilities deserve special attention. In fact, exploits against PHP applications can affect the general security and health status of the entire web, since compromised hosts can be used as botnet slaves for further attacks on other servers.
In the PHP architecture, several variables in the application are not explicitly defined in each script. These variables are called PHP SuperGlobals.
Ever since the PHP platform was introduced, the interaction between PHP SuperGlobals and user input has represented a security risk. Despite recommendations by application security experts, this interaction is still here today – probably due to the high flexibility it provides to programmers and due to the amount of legacy code written this way.
Two of the vulnerabilities mentioned in our report date back to 2010 and 2011. Unfortunately, they are still actively and successfully being used in combination with other legacy PHP security issues. That is exactly the problem! We should have gotten rid of the easy path from user input to SuperGlobals a long time ago.
Does this teach us something about patching known problems in the software development lifecycle as a security strategy? Does it imply that one should only trust a 3rd-party application layer security solution that tracks attacks in the wild? SQL injection is also old news. Does this have any effect on SQL injection still being the #1 threat to web applications? Some of these questions are mind blowing, and yet for many they remain unanswered.
Our research explores PHP vulnerabilities and the methods hackers use to exploit them in the wild. We also provide an analysis and specific recommendations on how organizations should prepare and deal with the long-standing security risks of PHP SuperGlobals.
To download the research paper, please click here.
Authors & Topics: