Watch Out for PHP Holes

By the end of last year, some 2,100 PHP-related vulnerabilities existed in the ISS database of known vulnerabilities.

In the first half of 2006, desktop filtering software maker Websense counted a 100 percent rise in websites that contained code potentially harmful to visitors. The company declined to reveal how many websites it tallied, but it did say that 40 percent of the sites were hacked—that is, they had their website code altered by outsiders. Of those hacked websites, the vast majority (91 percent) were commissioned to install Trojan horses that take control of visiting computers to turn them into bots—to relay spam, wage denial-of-service attacks or carry out ID theft schemes—or use them as bases for spreading malicious programs such as worms and keyloggers inside the enterprise.

Ben Butler, network abuse manager at GoDaddy.com, a website domain seller and hosting company, says he believes that as many as 50 percent to 60 percent of those successful hacks involve some form of poorly written Web application developed in an easy-to-use, popular hypertext development language called PHP.

"PHP is an extremely hacked application type because it allows server-side scripts to happen on a website. This script is communicating back to the server, and that pathway can be hacked," says Butler, who bases his opinion on the hundreds of investigations GoDaddy opens each week into hacked and abusive websites among its hosted domains.

By the end of last year, some 2,100 PHP-related vulnerabilities existed in IBM Internet Security Systems' database of 30,000 known vulnerabilities. Of all Web development languages, PHP is most widely used because of its ease, says Chris Shiflett, who runs the PHP Security Consortium (at http://phpsec.org) and is the author of Essential PHP Security.

And with ease of use come vulnerabilities, says Bill Boni, corporate vice president of information security and protection at Motorola. Boni says that when you have lots of inexperienced people working with an easy-to-use Web development application, it leads to insecure code.

Boni adds that even experienced developers, under tight deadlines, can create Web applications that are vulnerable to common Web attacks.

Two examples: Last June, Circuit City had one of its webpages turned into a spamware installer. The vulnerability was in a poorly written forms field developed in PHP. And, in October, IBM's popular Websphere application was found to have a cross-site scripting vulnerability, the same type of vulnerability used to propagate a worm on MySpace in October 2005.

–Deb Radcliff

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!