By the end of last year, some 2,100 PHP-related vulnerabilities existed in the ISS database of known vulnerabilities. In the first half of 2006, desktop filtering software maker Websense counted a 100 percent rise in websites that contained code potentially harmful to visitors. The company declined to reveal how many websites it tallied, but it did say that 40 percent of the sites were hacked—that is, they had their website code altered by outsiders. Of those hacked websites, the vast majority (91 percent) were commissioned to install Trojan horses that take control of visiting computers to turn them into bots—to relay spam, wage denial-of-service attacks or carry out ID theft schemes—or use them as bases for spreading malicious programs such as worms and keyloggers inside the enterprise.Ben Butler, network abuse manager at GoDaddy.com, a website domain seller and hosting company, says he believes that as many as 50 percent to 60 percent of those successful hacks involve some form of poorly written Web application developed in an easy-to-use, popular hypertext development language called PHP.“PHP is an extremely hacked application type because it allows server-side scripts to happen on a website. This script is communicating back to the server, and that pathway can be hacked,” says Butler, who bases his opinion on the hundreds of investigations GoDaddy opens each week into hacked and abusive websites among its hosted domains. By the end of last year, some 2,100 PHP-related vulnerabilities existed in IBM Internet Security Systems’ database of 30,000 known vulnerabilities. Of all Web development languages, PHP is most widely used because of its ease, says Chris Shiflett, who runs the PHP Security Consortium (at http://phpsec.org) and is the author of Essential PHP Security. And with ease of use come vulnerabilities, says Bill Boni, corporate vice president of information security and protection at Motorola. Boni says that when you have lots of inexperienced people working with an easy-to-use Web development application, it leads to insecure code. Boni adds that even experienced developers, under tight deadlines, can create Web applications that are vulnerable to common Web attacks. Two examples: Last June, Circuit City had one of its webpages turned into a spamware installer. The vulnerability was in a poorly written forms field developed in PHP. And, in October, IBM’s popular Websphere application was found to have a cross-site scripting vulnerability, the same type of vulnerability used to propagate a worm on MySpace in October 2005. –Deb Radcliff Related content news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO CSO and CISO CSO and CISO news Royal family’s website suffers Russia-linked cyberattack Pro-Russian hacker group KillNet took responsibility for the attack days after King Charles condemned the invasion of Ukraine. By Michael Hill Oct 02, 2023 2 mins DDoS Cyberattacks feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Security news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe