Threats against web applications developed in PHP continue to be an area of high activity and interest for attackers. PHP applications now represent a significant portion of the web-application attack footprints we see in our HoneyPoint Internet Threat Monitoring Environment (HITME). PHP scans and probes for new and emerging vulnerabilities are a common occurrence and one the driving forces behind our deployment of the HITME. Our unique insights into ongoing threat activities allows our vulnerability management and professional services clients to know that they are better protected, even against bleeding edge threats.
PHP security issues are so common that the folks at BreakingPoint Labs call it “one of the most commonly attacked pieces of software on the Internet today”. Even when deployed in so called, “safe mode”, PHP applications can still present a high level of risk. Until, at least, the release and wide scale adoption of PHP 6, issues are likely to continue to abound, maybe even beyond that if the attacker underground has anything to say about it.
PHP security problems also represent a major portion of known web vulnerabilities, especially over the course of 2008. Syhunt, the makers of Sandcat Pro, a web application vulnerability scanner and partner to MSI, has even created Sandcat4PHP, a special source code scanner to help organizations proactively secure their PHP applications during development. Recently, Syhunt created these images that show the impact that PHP vulnerabilities are having on their work. PHP security issues represent an overwhelming margin of their work for the year.
All of this is not to say that PHP development is a bad thing. In fact, PHP developed applications have empowered many new cutting edge applications, fueled the growth of web 2.0 and been a powerhouse for bringing average users the web maturity that they have come to expect. Combining the ease of PHP with the power of MySQL, Apache and other open source tools has become a virtual standard for the online world. PHP applications CAN BE DONE SECURELY, they just require additional work and effort to create secure code, just like any other language. The ease of PHP makes it a great language for learning development, but we, as a community, need to help even those budding developers among us learn the basics of creating secure code. Techniques like input validation, proper sanitization, strong authentication and role-based access controls need to be a core part of our outreach teaching to developers.
In the meantime, while education is being worked on, it might be a wise idea to take a check around your environment and audit any PHP applications in production or planned for use in the near future. Additional work, tools or monitoring may be required to better handle the risk you find. Let us know if we can be of any help or if you desire additional insight into PHP security problems. Keep your eyes on PHP, though, its powerful, flexible capabilities make it a big player in the future of the web!
** Have feedback on this post? Please feel free to leave a comment, drop me a line via email or send me a tweet to @lbhuston on twitter. Thanks for reading! **