- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
CSO - Faulty design in a popular web application programming language is opening up websites across the Internet to hacker attacks, a data security firm reported this week.
Security problems are arising from the way the language, PHP, handles certain kinds of variables in its code, according to the report prepared by researchers at Imperva.
"The PHP platform is by far the most popular web application development platform, powering over eighty percent of all websites, including top sites such as Facebook, Baidu, and Wikipedia," the reportA'A (PDF)A'A explained. "As a result, PHP vulnerabilities deserve special attention."
"In fact," the report added, "exploits against PHP applications can affect the general security and health status of the entire web, since compromised hosts can be used as botnet slaves, further attacking other servers."
Imperva was critical of the way the application programming language defines by default certain "super global" variables and allows external programs, such as cookies, to manipulate them. Hacker attacks exploiting super globals are gaining in popularity with hackers, the report noted.
"[Hackers] incorporate multiple security problems into an advanced Web threat that can break application logic, compromise servers, and may result in fraudulent transactions and data theft," Imperva's researchers reported.
The addition of super global variables to PHP is a relatively new addition to the language. It makes cooking code easier because it removes the necessity of defining some common variables each time an app is created, but the security implications of the practice may not have been thoroughly thought out.
"Technically, PHP isn't broken," NSS Research Director Chris Morales said in an interview. "It's performing as designed. It's just not a good design."
"I totally agree with Imperva," he said. "Why is PHP written in such a way that they allow an external component to execute a super global variable. From a coding perspective, there's no reason to ever to do that. Their implementation is poor."
Since PHP is an open source program, there's always some question as to whether its openness is contributing to its security problems. "I don't think that's the issue here," said Tal Be'ery, Web security research team leader at Imperva.
"If PHP had been closed sourced, it wouldn't have been more secure," Be'ery said in an interview. "There are some architectural decisions taken by the PHP implementers that makes it easier to use for the programmer but makes the software less secure."
PHP has been in the sights of hackers for years. At the end of 2006 alone, there were 2,100 PHP flawsA'A listed in the ISS database of vulnerabilities to tempt net baddies. And through the years, web malcontents have used rogue PHP pages to redirect users to work-at-home scamsA'A and CGI vulnerabilities in the language to execute code remotely.
From Windows to WordPress, large platforms in general attract hacker attention so it shouldn't surprise that PHP has done so, too. "PHP's footprint is pretty large, which makes it juicier as a target," Mat Gangwer, an information security analyst with Rook Consulting, said in an interview.