Your Site Is Vulnerable: 2 Huge Holes

Curtis Franklin Jr., Executive Editor | 5/6/2014 | 19 comments

Curtis Franklin Jr.


PHP is a great tool for building web pages that access databases. It's pretty nifty for pwning an enterprise site, too.

If you don't know what "pwning" a site is, you really need to get out more. And you really need to understand what even the most novice script-kiddies can do to your site if you've used PHP and haven't been careful about security. There are a couple of quick things you should be talking to your security team about, but first you should have a bit of background.

PHP is a scripting language that runs on a web server. Originally developed in 1995, PHP in one version or another now runs on millions and millions of web servers around the world. It started as the work of a single man -- Rasmus Lerdorf -- who wanted a tool to make his personal web page easier to manage. Version 1 was released publicly and further maintenance and development was ultimately turned over to The PHP Group. The language has continued to evolve but its small beginning has led to some interesting problems. Since Lerdorf didn't set out to write a complete programming language, PHP has grown in a rather undisciplined way. It has little in the way of a fully formed logical structure and less than it should in the way of security checks. And it's that last thing that brings me to the conversation you need to have with your security team.

The first surprise comes via a simple text string, "exec($_GET". With a bit of tweaking, you can use this little gem to execute any code in the $_GET superglobal without any security controls at all. Want to download all the code that makes up a website? This is the way to make it happen. And remember -- no security checks at all in the PHP instructions because $_GET is one of the built-in variables that is automatically available in all scopes of a page.

Having fun with that little gem? Good -- you're going to love this one. Head out to do this search and marvel at the array of results generated. If you see the results and don't quite understand what's going on, allow me to help.

The string you've just searched on allows you to insert new SQL commands into the URL -- commands that are executed by the database sitting behind the site. It's a bedrock of a technique called "SQL Injection" that shouldn't be possible in 2014 but is very possible on a number of sites. I've watched experts run these attacks against sites and it's amazing. A person with just a bit of knowledge can do anything from downloading an entire database (including the records that are there but not normally available to customers through the website) to changing records in a database. What kind of changes? Prices. Availability. Contact information. Little things like that.

I'm not suggesting that you stop using PHP -- the odds are pretty good that you couldn't, even if you wanted to. I am suggesting that you talk with your security people and begin to educate yourself. And to further your education, I've got one more suggestion.

Go download a copy of WebGoat. It's an intentionally vulnerable website that's been designed to let you see how major security vulnerabilities work. It's also a site where you can test your web defenses. I've used WebGoat to test any number of security systems over the years. I've also used it to help increase my knowledge of what goes into an attack. It's a great tool that can help you and your team build stronger, more secure websites for your organization.

How do you feel about all of this? Are your sites secure? Are you certain? How familiar are you with WebGoat? I'd love to know if you've already got all this information well in hand -- or whether I've helped bring a bit of new awareness to the party. See you in the comments...

Curtis Franklin, Jr., Executive Editor, Enterprise Efficiency
Circle me on Google+ Follow me on TwitterVisit my LinkedIn pageFriend me on Facebook

Copyright © 2017 TechWeb, A UBM Company, All rights reserved.