Poor design fosters hacker attacks of websites running PHP

App language contains open door for Black Hat mischief

Faulty design in a popular web application programming language is opening up websites across the Internet to hacker attacks, a data security firm reported this week.

Security problems are arising from the way the language, PHP, handles certain kinds of variables in its code, according to the report prepared by researchers at Imperva.

"The PHP platform is by far the most popular web application development platform, powering over eighty percent of all websites, including top sites such as Facebook, Baidu, and Wikipedia," the report (PDF) explained. "As a result, PHP vulnerabilities deserve special attention."

"In fact," the report added, "exploits against PHP applications can affect the general security and health status of the entire web, since compromised hosts can be used as botnet slaves, further attacking other servers."

Imperva was critical of the way the application programming language defines by default certain "super global" variables and allows external programs, such as cookies, to manipulate them. Hacker attacks exploiting super globals are gaining in popularity with hackers, the report noted.

"[Hackers] incorporate multiple security problems into an advanced Web threat that can break application logic, compromise servers, and may result in fraudulent transactions and data theft," Imperva's researchers reported.

The addition of super global variables to PHP is a relatively new addition to the language. It makes cooking code easier because it removes the necessity of defining some common variables each time an app is created, but the security implications of the practice may not have been thoroughly thought out.

"Technically, PHP isn't broken," NSS Research Director Chris Morales said in an interview. "It's performing as designed. It's just not a good design."

"I totally agree with Imperva," he said. "Why is PHP written in such a way that they allow an external component to execute a super global variable. From a coding perspective, there's no reason to ever to do that. Their implementation is poor."

Since PHP is an open source program, there's always some question as to whether its openness is contributing to its security problems. "I don't think that's the issue here," said Tal Be'ery, Web security research team leader at Imperva.

"If PHP had been closed sourced, it wouldn't have been more secure," Be'ery said in an interview. "There are some architectural decisions taken by the PHP implementers that makes it easier to use for the programmer but makes the software less secure."

[Also see: Hundreds of DreamHost websites abused by spammers]

PHP has been in the sights of hackers for years. At the end of 2006 alone, there were 2,100 PHP flaws listed in the ISS database of vulnerabilities to tempt net baddies. And through the years, web malcontents have used rogue PHP pages to redirect users to work-at-home scams and CGI vulnerabilities in the language to execute code remotely.

From Windows to WordPress, large platforms in general attract hacker attention so it shouldn't surprise that PHP has done so, too. "PHP's footprint is pretty large, which makes it juicier as a target," Mat Gangwer, an information security analyst with Rook Consulting, said in an interview.

What makes large platforms especially attractive is that they can give hackers the most bang for their buck. "When they come up with an exploit or attack on one site it can be traversed across multiple sites so it doesn't have to be a single targeted attack," Gangwer said.

"In a lot of ways, PHP is a victim of its own success," said Daniel Peck, a research scientist with Barracuda Networks.

Peck explained hosting sites rapidly adopted the language because it was easy to use, it worked and it was free. That kind of haphazard growth created growing pains for the language -- including security aches.

"The documentation and example code has a lot of poor and insecure practices in it so if you search on how to solve your problem in PHP, you'll come up with an insecure solution," Peck said in an interview.

Even if a programmer wants to mind his security P's and Q's, they can find it challenging. "It also has some features that make it difficult to program securely," Peck noted. "It can be done, but you need to put a significant amount of effort into it."

PHP is also plagued with another affliction of mega Web platforms. "Content systems deployed in an open source fashion are easy to deploy and administer, but often the resources aren't there to keep up with the patch frequencies and the vulnerabilities associated with them," JD Sherry, vice president of Technology and Solutions for Trend Micro told CSOonline.

"When you couple the problem with super global variables with unpatched systems, you've got a perfect storm for an attacker," Sherry said.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.