I've been hearing a lot about the vulnerabilities of PHP applications and how hackers are using PHP SuperGlobal variables to execute Web attacks. Can you please explain what PHP SuperGlobal variables are and the risks they pose?
First, a little background: Hypertext Preprocessor (PHP) has been around for more than 10 years and is one of the most important Web application programming languages to date. It was originally designed with functionality and ease of use in mind. However, despite its longevity, PHP has a spotted security track record. Researchers have even created the Hardened PHP Project to help enterprises secure applications and webpages.
While many of PHP's bugs have been identified -- and fixed -- they have exposed many common Web applications to these vulnerabilities and require Web application developers to keep current on the version of PHP in use. Other programming languages, such as Microsoft's Active Server Pages, or ASP, do not have these types of vulnerabilities and therefore do not require developers or system administrators to always use the most current version of the language to keep the application secure -- lowering the cost of development by lessening the need for upgrading and training. Secure development practices still need to be used regardless of the programming language.
In August 2000, PHP SuperGlobal variables were introduced to deprecate PHP register global functionality, as it caused significant security issues in PHP and Web applications. PHP SuperGlobals are built-in variables that are available in a PHP script and store data that can be used throughout the script. The deprecated functionality was widely abused by attackers because of its insecure design.
Application security vendor Imperva Inc. describes the risks SuperGlobal variables pose in its report. One risk is that a SuperGlobal variable could have malicious data entered into it that then was used somewhere in the script in an insecure way that could be exploited by an attacker.
The two key takeaways should be that, as Imperva notes, there is no valid reason for any PHP application to provide SuperGlobal parameters, and any such request of an application to provide them should be blocked. To that end, check to ensure that your Web application firewalls have rules that automatically block these requests, and that they ideally alert when such an event occurs, as it may very well be a sign of a targeted attack.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.