Researchers Call for Ban on PHP SuperGlobal Variables

Researchers urge developers to ban PHP SuperGlobal variables in applications. These variables are wide open to remote code execution, remote file inclusion and security bypasses.

The ease with which PHP applications can be subverted should be pretty apparent by now given the number of botnets supported by compromised sites hosting PHP code.

The biggest culprit in the PHP universe may be a set of nine variables called SuperGlobals that provide programmers with development flexibility yet introduce dangerous vulnerabilities that allow attackers to externally modify these variables and run code of their choosing, conduct remote file inclusion, or bypass intrusion detection signatures.

Research released today by Imperva calls for a ban on SuperGlobal variables, vulnerabilities which can be exploited to break application logic and hack servers hosting the wonky code. The result could be anything from fraud against online banking customers to loss of personal data.

“Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire Web,” said Amichai Shulman, CTO at Imperva.

Imperva’s research points out that 81 percent of websites host some PHP code, compared to, for example, ASP.NET which is found on 19 percent of sites, and Java on 3 percent. PHP SuperGlobal variables, meanwhile, are problematic because they can allow an outsider to remotely override internal variables with external input, Imperva said.

Imperva monitored two particular vulnerabilities: CVE-2011-2505, which is a flaw in the authentication feature of PhPMyAdmin (PMA) that enables hackers to modify the _SESSION SuperGlobal variable; and CVE-2010-3065, which enables the injection of arbitrary code strings into a serialized session.

The Imperva report said hackers can combine the two vulnerabilities and execute code on a server running PMA. A configuration object running in PMA would need to load two functions in order ro execute an injected configuration file.

“The attacker can combine the two separate vulnerabilities, the former letting the attacker inject a value into the session, and the latter allowing the attacker to create arbitrary string to inject a maliciously crafted PMA_config object into the serialized session,” the report said.

In May, researchers monitored attacks against PHP applications, the data collected via honeypots and from customer data. More than 3,000 requests were observed that manipulated SuperGlobal variables; those requests came from 27 source IP addresses against 24 Web applications; 55 percent of the attacks seen were against SuperGlobal parameters.

These vulnerabilities, Imperva said, are known to the security industry and popular scanners such as Nessus and Nikto already scan for them. But developers continue to use them in PHP applications. Attacks, however, have legs. One particular campaign observed by Imperva lasted five months and IP addresses from six countries were targeting sites in a number of critical industries, including financial services. Exploit code, meanwhile, was found on a popular Russian hacker forum.

“Interestingly, some of the attacking IP addresses targeted two to three applications simultaneously. The requests were probably generated by the same tool, as they contained distinct characteristics such as an identical, rarely user-agent string,” the report said.

Attackers are also intent on giving these PHP attacks some longevity by injecting behaviors that help them elude being detected by security software. The _REQUEST SuperGlobal variable is being abused in these instances, Imperva said. This particular variable works because, rather than expose a vulnerable portion of code, it functionally changes the parameters’ names which can enable it to bypass an existing IDS signature, for example.

These attacks illustrate the need to keep PHP code up to date, in particular on third-party applications, because they’re easily being exploited.

“Attackers are able to capture this complex attack scenario in a single script that can be used by a botnet operator without exceptional skills,” the report said. “The script can be automatically distributed to compromised servers and executed autonomously to gain control or further servers.”

Suggested articles