Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Poor design fosters hacker attacks of websites running PHP

John P. Mello | Sept. 13, 2013
App language contains open door for Black Hat mischief

From Windows to WordPress, large platforms in general attract hacker attention so it shouldn't surprise that PHP has done so, too. "PHP's footprint is pretty large, which makes it juicier as a target," Mat Gangwer, an information security analyst with Rook Consulting, said in an interview.

What makes large platforms especially attractive is that they can give hackers the most bang for their buck. "When they come up with an exploit or attack on one site it can be traversed across multiple sites so it doesn't have to be a single targeted attack," Gangwer said.

"In a lot of ways, PHP is a victim of its own success," said Daniel Peck, a research scientist with Barracuda Networks.

Peck explained hosting sites rapidly adopted the language because it was easy to use, it worked and it was free. That kind of haphazard growth created growing pains for the language — including security aches.

"The documentation and example code has a lot of poor and insecure practices in it so if you search on how to solve your problem in PHP, you'll come up with an insecure solution," Peck said in an interview.

Even if a programmer wants to mind his security P's and Q's, they can find it challenging. "It also has some features that make it difficult to program securely," Peck noted. "It can be done, but you need to put a significant amount of effort into it."

PHP is also plagued with another affliction of mega Web platforms. "Content systems deployed in an open source fashion are easy to deploy and administer, but often the resources aren't there to keep up with the patch frequencies and the vulnerabilities associated with them," JD Sherry, vice president of Technology and Solutions for Trend Micro told CSOonline.

"When you couple the problem with super global variables with unpatched systems, you've got a perfect storm for an attacker," Sherry said.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.