PHP has been around since the mid-1990s and quickly proliferated on the web as an easy-to-use server-side and command line scripting language, allowing users to build dynamic web pages and applications. PHP remains one of the most in-demand programming languages today, mostly due to its use in the internet’s most popular content management systems (WordPress, Drupal), e-commerce platforms (Magento, OpenCart), and popular web development frameworks (Laravel, CakePHP).
In addition to command injection, here are some other common PHP vulnerabilities, which we’ll discuss in this article:
- SQL injection
- Cross-site scripting
- File Inclusions (remote and local)
So, let’s take a look at how a full stack security approach can help protect your PHP applications against these common attack vectors.
Command Injection
A command injection attack takes advantage of unsanitized PHP input validation, giving malicious users the opportunity to pass in arbitrary commands to the host system. Because the input is unsanitized, the attacker can pass in additional system commands that will be executed as system command functions of PHP, such as system or shell exec.SQL Injection
A common error administrators make is to store PHP session IDS in a database in order to further validate user actions post-login. If the session ID isn’t sanitized properly, it leaves an opportunity for a malicious attacker to attempt a SQL injection. Here’s an example of a blind SQL PHP sessionID injection:
GET /page.php
host: site.com
UserAgent: Mozillla/5.0
Cookie: PHPSESSID=764EFA883DDA1E11DB47671C4A3BBD9E’ and (Select 1)=1—+
Referer: site.com/index.php
It’s a common example of the types of attacks our certified SOC analysts see on a daily basis. Anytime an analyst works an incident, all supporting data of that case get fed into our security analytics platform. This unique combination of human expertise and sophisticated machine learning has allowed Alert Logic to develop world-class in-house threat research using real-world signatures, rather than simply relying on public CVEs. Anytime our SOC discovers a new vulnerability, we leverage our integrated security model to roll out that protection to all other customer environments via our IDS software and vulnerability management platform.
Cross-site Scripting Is Still Popular for Attackers
Another popular type of injection attack is cross-site scripting, where a would-be cyber attacker injects client-side code, commonly Javascript, into a URL or form that echoes the data of form results through the PHP interpreter without adequate sanitization.
File Inclusion Vulnerabilities Still Persist
Similar to a command execution attack, file inclusions take advantage of a PHP script with no or improperly sanitized input. File inclusions can be characterized as remote or local. A remote file inclusion allows a malicious attacker to take advantage of the allow_url_fopen() or allow_url_include() directives in a PHP script in order to force the loading of a text file with malicious PHP code in it from a remote URL, which will be executed locally upon loading.
A local file inclusion is a similar vulnerability in which the above directives are off. Essentially, a malicious user gains access to a local file on the server using directory traversal (../..) or executes code by accessing a resource that logs user-controlled data.
For PHP alone, Alert Logic has over 1,800 scan checks and 3,800+ IDS signatures and log message types built from years of threat intelligence research and managing a security operations center (SOC) in support of more than 4,000 customers. However, PHP is just one example of the many the popular development platforms in use on the web today. Regardless of your choice of development platform, rest assured that Alert Logic has you covered.
