Are PHP SuperGlobals putting Web applications at risk?

Updated happygeek 4 Tallied Votes 614 Views Share

In the newly published Imperva 'Hacker Intelligence Initiative Report' the in-the-wild modification and exploitation of PHP SuperGlobal variables has been investigated. This particular external variable modification weakness has been described as being where a PHP application does "not properly protect against the modification of variables from external sources, such as query parameters or cookies". Imperva has seen evidence of SuperGlobal variables being used as a launchpad for remote code execution, remote file inclusion and security filter evasions attacks.

The report itself should be something of a must-read for anyone developing PHP applications who wants to get a grip on how these can be manipulated by those exploiting the SuperGlobal parameters. Not least as it would appear that PHP SuperGlobal parameters are gaining an increased popularity within the hacking community courtesy of being able to incorporate multiple security problems into an advanced threat used to break application logic, compromise servers and ultimately result in data theft. The Imperva research team note that in just one month it saw an average of 144 attacks per application with attack vectors related to these SuperGlobal parameters. They also witnessed attack campaigns which lasted five months or more, with 'request burst floods' as high as 90 hits per minute on a single given application.

Highlights from the report, which can be downloaded for free here, include:

  • Key exposures in third-party infrastructure demonstrate need for an “opt out” security model. The report found a vulnerability in the very popular PhpMyAdmin (PMA) utility, used to manage MySQL databases in PHP environments. Because it is often bundled with other applications using the popular MySQL Database, having this vulnerable utility present on the server, even if it is not being used by the administrator, exposes the server to code execution attacks, and as a consequence, to full server takeover. Therefore, an “opt out” security model is recommended.
  • Positive security models are best. Only a positive security mechanism that specifies the allowed parameter names for each resource can prevent an attacker from taking advantage of the external variable manipulation weakness, which gives anyone the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter.
  • Hackers are sophisticated. Imperva researchers observed that attackers are capable of mounting complex attacks and packaging them into simple-to-use tools. However, while an impressive demonstration of attack strength, the PHP method has pitfalls. An application security solution that can detect and mitigate a single stage of the attack can render the entire attack useless.
  • SuperGlobal parameters in requests should be blocked. There is no reason for these parameters to be present in requests; therefore, they should be banned.

"The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 percent of all websites, including Facebook and Wikipedia" Amichai Shulman, CTO at Imperva says, continuing "clearly, it is time for the security community to devote more attention to this issue."

pritaeas 2,194 ¯\_(ツ)_/¯ Moderator Featured Poster

Unfortunately this is not new. The problem is that a lot of people are using these without thinking ahead, thus causing security risks. Here's an article from 2003 on the subject.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Truth be told, many security problems are not new - the appearance of the results of bad practise in the wild is cyclical and it seems that the SuperGlobals are in the spotlight again right now.

pritaeas commented: Exactly. +14
piers 8 Junior Poster in Training

surely if you use things like mysql_real_escape_string and addslashes to your mysql queries this would limit the effect of hackers editing superglobals to access data?

sktthemes 0 Newbie Poster

I think its not easy to hack PHP web site.Depend on programmer how to done php code in this website php scripting level is very then chance to hackers hack this site.

But some time if you use post method hack cant be identify page name and which type of post variables used.In get method hackers easily identify the user sending data by using get method.So in this time hackers can easily hack php web site.

But no problem always keep backup of your database and importants files.

sktthemes 0 Newbie Poster

Try to use best PHP platform of web developement for php website.Some other opensource are hack.

Member Avatar for LastMitch
LastMitch

surely if you use things like mysql_real_escape_string and addslashes to your mysql queries this would limit the effect of hackers editing superglobals to access data?

How sure are you sure that your method will work?

HG is a consultant, he only does research and write articles.

Base on his research and his past articles I read and his experience on hackers. He feels and knows how a hackers can do those things.

There's no safety zones on php, it's a given.

Alfred_2 -3 Newbie Poster

I have gone through your article and it is very impressive but if you will use the best php services then there is no such danger and the method given by you is not that promising

hag++ 24 Junior Poster

There's no safety zones on php, it's a given.

Boy I hate it when people blame the tools instead of the developers. Sites built on ANY language can contain massive security holes if web security best practices are not followed. Blaming PHP is analagous to a bad carpenter blaming his hammer for the house collapsing.

Gaetane 12 Newbie Poster

First rule of PHP (Web Development): "Never trust no-one, no how, not ever. Never. Ever, ever, ever. Ever." I sanitize everything to the highest level required coming in and going out. Plus I use PDO for database access. And I'm a ruthless tag stripper. If anyone needs <script> they can go to jsfiddle.com... ^_^

urtrivedi commented: I agree +12
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.