All the latest UK technology news, reviews and analysis

Facebook, Yahoo and Wikipedia users vulnerable to attack thanks to PHP flaw

09 Sep 2013
The Facebook logo

A flaw in the PHP code used by most websites, including Facebook, Yahoo and Wikipedia, is being exploited by hackers, according to Imperva researchers.

Imperva reported detecting a campaign targeting a vulnerability in PHP with an automated wave of cyber attacks in its Hacker Intelligence Initiative [PDF] report. Imperva's web research team leader Tal Be'ery explained to V3 the vulnerability being exploited stems from a flaw in PHP's Superglobal mechanism.

"By injecting a value into an internal variable, in this case by using PHP's Superglobal mechanism, the attacker is able to change the application flow and execute arbitrary commands to take control over the server. In the attack we researched, the attackers used a vulnerability in PHPMyAdmin, a popular database management app to inject commands via a vulnerability in its handling of the Session Superglobal," explained Be'ery.

"Combined with an additional vulnerability in some PHP versions, which allowed the storing and extracting of the Session in an unsafe manner, it enabled the attacker to run arbitrary code on the infected server and take full control over it."

Be'ery said the vulnerability is particularly dangerous due to the common use of PHP and could be used by hackers for a variety of purposes. "PHP code is powering most of the web (80 percent), including high-profile sites such as Facebook, Yahoo, Baidu and Wikipedia. Since the attack is automated by nature we believe that the attackers had attempted to hack into major sites as well as smaller sites," he said.

"Server takeover [grants the attacker] full control over the server's resources, including, but not limited to, access to all of the app users' stored data, enslaving the infected server to be a ‘soldier' in a botnet and storing an infection code on the server and infecting the site's users with malware."

The Imperva report revealed the attackers have been targeting the vulnerability with increased tenacity for several months and have already used it to hack several big-name companies.

"Over the course of a month, our research team witnessed 144 attacks per application (within a sample of 24 applications) that contained attack vectors related to Superglobal parameters," read the report.

"These attacks appeared in the form of request burst floods – we have seen peaks of over 20 hits per minute, reaching up to 90 hits per minute, on a single application. Some attack campaigns spanned over a period of more than five months. One of the attack sources was a compromised server belonging to an Italian bank."

Be'ery cited the campaign as further proof that criminals are developing new more sophisticated ways to attack businesses. "I think it's evidence for the general evolution of the web threat landscape, as it shows that attackers are capable of mounting complex attacks which consist of combining multiple vulnerabilities in different products and packaging them into simple-to-use tools. I believe we will see more combined attacks in the near future," said Be'ery.

The Imperva researcher said businesses can protect themselves in a variety of ways. These include implementing an application layer mechanism capable of looking for different types of security violations on the company network, bluntly blocking Superglobal parameters in requests and avoiding reliance on third-party code, like the PHPMyAdmin (PMA) utility used in the latest exploit.

The PHP campaign is one of many advanced attacks uncovered in recent months. Trend Micro researchers last month detected a spike in the numbers of criminal groups using Java native-layer vulnerabilities to infiltrate businesses and government systems.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Devices at work poll

Which device do you use most for work?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Infrastructure & Network Analyst

Infrastructure & Network Analyst Solihull (and...

Head of Digital Services

Here at the Legal Aid Agency, we provide civil and criminal...

HTML Email Developer

At the University of Derby, people are at the heart of...

CRM System Officers

At the University of Derby, people are at the heart of...
To send to more than one email address, simply separate each address with a comma.