News Stay informed about the latest enterprise technology news and product updates.

Imperva finds old PHP vulnerability still being exploited by attackers

Security vendor Imperva says thousands of enterprise Web servers are exposed to an easy-to-exploit PHP flaw despite a patch long being available.

Legendary U.S. general Douglas MacArthur once said, "Old soldiers never die, they just fade away." Old vulnerabilities may not give IT security professionals the benefit of fading away, though, according to new research from Imperva Inc.; if left unpatched, they may threaten enterprises for years.

People just expect a vulnerability to die at some point, and no one cares anymore, which is unfortunately not the case.

Barry Shteiman,
director of security strategy, Imperva

In a blog post today, the Redwood Shores, Calif.-based database security vendor detailed how it tracked the activity associated with CVE-2012-1823, a command-injection vulnerability affecting the widely used PHP framework, which, despite originally being uncovered by Imperva in 2012, is still being used by a number of exploit toolkits and botnets.

In mid-October 2013, Barry Shteiman, director of security strategy at Imperva, said the company noticed a surge in attacks utilizing vectors attributed to the known PHP vulnerability, which they monitored both through honeypot servers and data gleaned from customers that opted in to Imperva's "Community Defense" service. The honeypots alone were targeted by more than 300 different attackers based on IP addresses.

Attackers have slightly altered the exploit methods used for the vulnerability, according to Shteiman, though not enough to throw off Web application firewalls (WAFs) that should already be aware of the flaw. Whereas attackers previously relied on all PHP files to be automatically redirected to the Common Gateway Interface (CGI), which generates dynamic content for webpages and applications, attackers now call PHP directly via a URL after turning off the CGI security check.

The end result of a successful exploit is still the same, though: the ability to execute arbitrary commands on a vulnerable Web server. Shteiman noted that compromised servers are likely being used as part of botnets.

With nearly 82% of websites worldwide relying on PHP, Shteiman said the most worrying aspect of the situation is that thousands of enterprise websites are vulnerable to a relatively simple exploit. Despite the PHP group producing a patch for the vulnerability back in May 2012, he said 16% of sites using PHP are still running a vulnerable version of the framework. That could be 10% or more of all websites worldwide.

Though Shteiman declined to name any of the companies running vulnerable Web servers, he said he used the simple "Google dork" technique to find such cases, a capability that is obviously within the reach of any attacker.

"Today, exactly two years from the day that the original exploit was released, there are still tons of vulnerable targets online," Shteiman said. "So hackers are using an exploit that is undead. People just expect a vulnerability to die at some point, and no one cares anymore, which is unfortunately not the case."

Shteiman also emphasized that Imperva is looking at 21 different attacks that behave in a similar manner to this PHP vulnerability, meaning they are old vulnerabilities being used as part of modern attack tools.

He expects attackers to increasingly utilize known vulnerabilities, such as this one, in part because it simply makes financial sense on their end. An attacker can either spend more time and resources on developing new exploits that may or may not work, Shteiman said, or try to find more targets that are vulnerable to these sorts of known security flaws that they know will give them an easy way inside their targets of choice.

"If you've been in security more than a day, you've heard vendors complain that customers don't patch," Shteiman said. "Unfortunately, hackers realized [that] and caught up to what security pros have been saying all along: If you don't patch, you'll get hit."

Dig Deeper on Web Server Threats and Countermeasures

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Why don't more enterprises promptly (or ever) patch vulnerable Web servers?
Replacing the existing instance of PHP with a new one means downtime would interpret the -s as the command line argument and result in the disclosure of the source code for the application