On Web Server Security and PHP Vulnerabilities

In this day and age of targeted attacks and zero-day exploits, servers need the same amount of security that endpoints get, if not more. We’ve already seen how attacks have been relentless last year, with companies and government being hit with increasing frequency and ferocity. The main enabling element of these attacks, determined from the analysis of countless incidents, are vulnerabilities—security flaws inherent in commercially-available software.  Whether old or newly-discovered, these vulnerabilities allow malicious actors to break into the network infrastructure of an organization and steal information.

We always hear about endpoints being vulnerable—an unsecured system on the network with, say, an unpatched version of Microsoft Office—as was the case with a number of targeted attack incidents that happened in June of 2014.i We know about those, and we know how to resolve them. But are these applications the only weak link in a network? Or are there more insecure elements that businesses need to look into?

Unfortunately, the answer is yes. There are more than just vulnerability-ridden applications to patch to secure your network, and one of these is the language you create your websites with, such as PHP, Python and SQL. Without getting too technical, these are programming languages that web admins use to add more functionality to websites, such as the ability to facilitate online shopping, or automatic content updating. They turn websites into something more than just static pages of text and pictures on the Internet—they make them more interactive and useful.

The crux of the problem here is that these programming languages are very popular, and as such, are very widely used. And as we’ve learned from Javascript and Adobe Flash Player, popularity isn’t necessarily a good thing, as the more popular an app (or in this case, language) is, the bigger a target you present to cybercriminals and threat actors.

This is what happened with popular programming languages such as PHP. They’ve become so ubiquitous for web development that their vulnerabilities are quickly found and exploited by attackers to infiltrate the networks and databases that use them. From old vulnerabilities to zero-days, it’s just like Javascript all over again.

There are, of course, patches for the vulnerabilities themselves, but when code is inherently flawed to the point that it’s considered one of the most insecure programming languages to date, patches don’t necessarily resolve the issue.

Such is the case with PHP, a programming language that's as versatile as it is insecure. First starting out as something of an exercise for its creator, Rasmus Lerdorf, PHP was not designed at all—rather, it was developed organically, meaning that it was developed without the thought of security or anything else in mind, just functionality. Its simplicity and low learning curve also made it an easily abused tool for newbie web devs—developers who are likely to create insecure websites with the little they’ve learned about PHP, thus perpetuating a cycle of insecurity until something finally snaps.

Don’t believe how bad it is? W3Techs, a survey company, found that nearly 78% of all PHP installations are running with at least one known security vulnerability. And yes, the other languages, while also vulnerable, aren’t as full of holes as PHP is. When even Google spits out pages and pages of results of tech-savvy individuals and IT admins bemoaning how much they find PHP to be insecure, you need to buck up your security and fast.

And it’s not like we’re not seeing it on our end, either. Our own in-house findings, through Trend Micro Deep Security, allowed us to see what kind of programming code is being exploited the most. To no surprise, PHP came up first, followed closely by Apache, SQL, and SSL. This is more proof that attackers aren’t just looking at popular vulnerabilities, but also the more obscure ones—especially those that don’t receive as much attention or support.

[More: How Web application flaws are used as entry points in the Trend Micro 2015 1Q Security Roundup]

It’s not too late to start protecting your company and avoid becoming tomorrow’s cautionary tale. All you need is a dynamic security solution that prevents vulnerabilities from being exploited even if they haven’t already been patched. Solutions like Deep Security provide such protection automatically.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.