Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Unpatched servers still enabling exploitation of two-year-old PHP vulnerability

A PHP vulnerability originally disclosed in March 2012 – and revised in October 2013 after a hacker found an easier way to take advantage of the exploit – is still impacting users after all these years, according to researchers with Imperva.

The reason why is simple: people are not patching the vulnerability, Barry Shteiman, director of security strategy with Imperva, told SCMagazine.com on Wednesday.

More than 80 percent of all websites on the internet are written in the server-side scripting and general-purpose programming language, he said, adding that about 16 percent of those sites are vulnerable to the exploit.

About 244 million websites use PHP, according to usage stats provided by Netcraft for January 2013.

“The vulnerability enables a remote attacker to execute arbitrary commands on a web server with PHP versions 5.4.x, 5.3.x before 5.4.2 or 5.3.12.,” according to an Imperva advisory posted on Tuesday. “The simple, straightforward explanation is that an external attacker can set command line options for the PHP execution engine. Such command line options eventually allow the attacker to execute arbitrary PHP code on the server.”

Around the time of the October 2013 disclosure revision, Imperva quickly observed as many as 30,000 attack campaigns taking advantage of the vulnerability, Shteiman said, explaining attackers all over the world targeted various systems for a number of reasons, including hijacking servers and distributing malware.

Some of the botnets that Imperva uncovered in its research are still active and are fairly new, Shteiman said, explaining that people can do a simple Google dorks search to identify sites that are vulnerable to the exploit.

Aside from applying the PHP patch, the Imperva research offers other ways to protect against this type of attack, including not using PHP in Common Gateway Interface (CGI) mode and placing web applications behind something, such as a Web Application Firewall (WAF).

But it is not always that simple, Shteiman said, explaining that sometimes users forgo applying patches because they do not have a proper understanding of the issue and the patch, or because pre-patched conditions are relied on for regular operations.

“Universities are very susceptible because they rarely update servers,” Shteiman said. “Retailers are at risk too. Most people that have online transactions will not want to take down servers. A person that makes money through their website is reluctant to make a change if it means [stopping] business.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.