10:37 PM
Connect Directly

Are PHP SuperGlobal Parameters Really That Big A Deal?

New report shows potential for PHP exploits, but others in the industry say patching PHP servers is the issue, not faulty parameters

A new report out this week (PDF) from Imperva detailing the potential danger for attacks through vulnerable PHP SuperGlobal parameters suggests that organizations running PHP servers should ditch the use of these variables in application requests. But while other security experts agree that PHP security must be addressed to prevent serious breaches, they argue that the real problem is in server patching practices rather than the use of SuperGlobal variables.

"PHP is definitely a vulnerable language when not implemented correctly, and unfortunately, most Web programmers don't truly understand the vulnerabilities or attack vectors associated with them," says Joshua Crumbaugh, lead penetration tester at IT Cyber Security.

Released on Monday, the report chronicled the attack methods that Imperva researchers observed across a sample of 24 applications containing attack vectors related to SuperGlobal variables, noting that they identified 144 related attacks per application within a month, with some attack campaigns lasting over the course of five months. In particular, the report showed how attackers are commonly able to chain together multiple low-impact vulnerabilities related to SuperGlobal in order to achieve variable manipulation, security filter evasion, and arbitrary code execution.

[Is IPS in it for the long haul? See The Future of IPS.]

"One of the key lessons for enterprises is that they should defend themselves even against what seems to be in the beginning a really not-so-important vulnerability because when it is chained with other not-so-important vulnerabilities, together they can create a really powerful exploit," says Tal Be'ery, leader of Imperva's Web research team.

According to Be'ery, while PHP security has generally improved during the past few years, it's not getting better fast enough, particularly for a language that by his firm's estimates powers more than 80 percent of the Web. While most security experts would agree with that sentiment, some are taking issue with Be'ery's and Imperva's public push against SuperGlobal.

"Instead of calling to remove SuperGlobals, it might be better to call on people to update their PHP," says Serge Batchilo, a security researcher for Security Innovation. "The vulnerabilities at the root of this wave of attacks are CVE-2010-3065 and CVE-2011-2505, which means they have been assigned CVE identifiers in 2010 and 2011, respectively, and are almost certainly patched in PHP versions for the past couple of years."

Batchilo accused Imperva of drumming up controversy with what he calls an "essentially trivial finding," explaining that the best way to improve PHP security is through more timely patching.

"Removing SuperGlobals would break a lot of PHP applications and is not likely to happen in the short term, while installing patches that have been available for years is a simple and effective solution that can be easily implemented in the short term," Batchilo says. "When a patched vulnerability is being exploited, it is common sense to install the patch. It's even better just to update servers periodically as a preventative measure."

Crumbaugh agrees, reiterating that the No. 1 recommendation he has for those administering PHP applications is to keep those applications and the system upgraded.

"Unless there are some serious flaws in the implementation of your software or gigantic configuration errors, it's rare that I can break into a server with fully patched software and services," he says, explaining that he frequently exploits out-of-date PHP systems in his penetration tests, and noting that he frequently runs into companies that take years to update critical vulnerabilities. "Keep everything up to date, and you'll increase your security posture."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/13/2013 | 3:33:36 PM
re: Are PHP SuperGlobal Parameters Really That Big A Deal?
To prevent similar vulnerabilities during development, avoid using the PHP parse_str() function with untrusted data.
User Rank: Apprentice
9/13/2013 | 3:26:01 PM
re: Are PHP SuperGlobal Parameters Really That Big A Deal?
To be clear, CVE-2011-2505 is a vuln in phpMyAdmin, but the idea is the same - install patches. -Serge
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.