In the newly published Imperva 'Hacker Intelligence Initiative Report' the in-the-wild modification and exploitation of PHP SuperGlobal variables has been investigated. This particular external variable modification weakness has been described as being where a PHP application does "not properly protect against the modification of variables from external sources, such as query parameters or cookies". Imperva has seen evidence of SuperGlobal variables being used as a launchpad for remote code execution, remote file inclusion and security filter evasions attacks.
The report itself should be something of a must-read for anyone developing PHP applications who wants to get a grip on how these can be manipulated by those exploiting the SuperGlobal parameters. Not least as it would appear that PHP SuperGlobal parameters are gaining an increased popularity within the hacking community courtesy of being able to incorporate multiple security problems into an advanced threat used to break application logic, compromise servers and ultimately result in data theft. The Imperva research team note that in just one month it saw an average of 144 attacks per application with attack vectors related to these SuperGlobal parameters. They also witnessed attack campaigns which lasted five months or more, with 'request burst floods' as high as 90 hits per minute on a single given application.
Highlights from the report, which can be downloaded for free here, include:
- Key exposures in third-party infrastructure demonstrate need for an “opt out” security model. The report found a vulnerability in the very popular PhpMyAdmin (PMA) utility, used to manage MySQL databases in PHP environments. Because it is often bundled with other applications using the popular MySQL Database, having this vulnerable utility present on the server, even if it is not being used by the administrator, exposes the server to code execution attacks, and as a consequence, to full server takeover. Therefore, an “opt out” security model is recommended.
- Positive security models are best. Only a positive security mechanism that specifies the allowed parameter names for each resource can prevent an attacker from taking advantage of the external variable manipulation weakness, which gives anyone the ability to send out external parameters with the same name of internal variables, and thus override the value of the latter.
- Hackers are sophisticated. Imperva researchers observed that attackers are capable of mounting complex attacks and packaging them into simple-to-use tools. However, while an impressive demonstration of attack strength, the PHP method has pitfalls. An application security solution that can detect and mitigate a single stage of the attack can render the entire attack useless.
- SuperGlobal parameters in requests should be blocked. There is no reason for these parameters to be present in requests; therefore, they should be banned.
"The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 percent of all websites, including Facebook and Wikipedia" Amichai Shulman, CTO at Imperva says, continuing "clearly, it is time for the security community to devote more attention to this issue."