Technology News

latest updates from easySERVICE™

Unpatched servers still enabling exploitation of PHP vulnerability

server room

PHP vulnerability originally disclosed in March 2012 – and revised in October 2013 after a hacker found an easier way to take advantage of the exploit – is still impacting users after all these years, according to researchers with Imperva.

The reason why is simple: people are not patching the vulnerability, Barry Shteiman, director of security strategy with Imperva, told on Wednesday.

More than 80 percent of all websites on the internet are written in the server-side scripting and general-purpose programming language, he said, adding that about 16 percent of those sites are vulnerable to the exploit.

About 244 million websites use PHP, according to usage stats provided by Netcraft for January 2013.

“The vulnerability enables a remote attacker to execute arbitrary commands on a web server with PHP versions 5.4.x, 5.3.x before 5.4.2 or 5.3.12.,” according to an Imperva advisory posted on Tuesday. “The simple, straightforward explanation is that an external attacker can set command line options for the PHP execution engine. Such command line options eventually allow the attacker to execute arbitrary PHP code on the server.”

Around the time of the October 2013 disclosure revision, Imperva quickly observed as many as 30,000 attack campaigns taking advantage of the vulnerability, Shteiman said, explaining attackers all over the world targeted various systems for a number of reasons, including hijacking servers and distributing malware.

Some of the botnets that Imperva uncovered in its research are still active and are fairly new, Shteiman said, explaining that people can do a simple Google dorks search to identify sites that are vulnerable to the exploit.

Aside from applying the PHP patch, the Imperva research offers other ways to protect against this type of attack, including not using PHP in Common Gateway Interface (CGI) mode and placing web applications behind something, such as a Web Application Firewall (WAF).

But it is not always that simple, Shteiman said, explaining that sometimes users forgo applying patches because they do not have a proper understanding of the issue and the patch, or because pre-patched conditions are relied on for regular operations.

Source: Associated Press


One comment on “Unpatched servers still enabling exploitation of PHP vulnerability

  1. StellarPhoenixS
    April 7, 2015

    Reblogged this on Stellar Phoenix Solutions.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


This entry was posted on March 19, 2014 by in Security, Server and tagged , , , , , .
%d bloggers like this: