PHP flaw could take down major sites, researchers fear

Hackers

Hackers are trying to exploit a flaw in the PHP code used by most major websites, according to security researchers.

IT security firm Imperva claims to have detected hackers mounting a campaign to exploit weaknesses in the PHP SuperGlobal variable to launch a wave of automated attacks, which could affect 80 per cent of the world's websites.

The company's Hacker Intelligence Initiative report detailed how PHP SuperGlobal is a prime target that yields a high return on investment for hackers.

One vulnerability allows a cyber criminal to create a malicious query string that overrides values within the _SESSION SuperGlobal variable. A second flaw is found in the PHP serialisation mechanism, which represents complex structured objects, such as the session data, into a flat text form.

The combination of these two vulnerabilities could allow a hacker to execute arbitrary code on a server running PHPMyAdmin. The attacker can combine the two separate vulnerabilities, the former letting the attacker inject a value into the session, and the latter allowing the attacker to create an arbitrary string to inject a maliciously crafted PMA_config object into the serialised session. This fault could allow an attacker to take control of the server.

"Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire web," said Amichai Shulman, CTO at Imperva.

"The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 per cent of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue."

According to Imperva, as of May this year, some 3,450 requests that manipulated PHP SuperGlobal variables were identified and these requests were generated by 27 different source IP addresses targeting 24 web applications.

Among its recommendations, the report said SuperGlobal parameters in requests should be blocked. "Since there is no reason for these parameters to be present in requests, they should be banned," the report added.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.