In October 2013, a public exploit in PHP was disclosed using a vulnerability that was first published in 2012, categorized as CVE-2012-1823. The exploit suggested that PHP, in conjunction with Apache, suffered from command injection vulnerability. Soon after the exploit was released, Imperva’s honeypots detected web servers being attacked with this exploit. In the first weeks following this discovery, Imperva recorded as many as 30,000 attack campaigns using the exploit.
After noticing a recent increase in the attack volume using the CVE, Imperva deduced that hackers realized old vulnerabilities are still relevant because they can reuse the vulnerability on available targets. In general, the vulnerability is exploited in a two-staged attack. First, the attacker disables the PHP mechanism that protects against remote code execution then, in the second stage, hackers steal information from the server or deploy any sort of software (such as malware) to the server.
The main solution for companies to protect themselves and assets is to patch to a non-vulnerable version. However, framework patches are often difficult to deploy for various reason including the possibility they require code changes to the framework and changes to functionality; it may be hard to take applications down for maintenance, or some companies are simply unaware of the security threat. The second option is to deploy a compensating control such as a Web Application Firewall (WAF) to mitigate the problem before it reaches the application – in essence a ‘virtual patch’.
The bottom line is hackers are focused on finding the vulnerabilities that have the most impact and potential. For example, as mobility gained popularity for enterprises, hackers shifted their focus to the Java framework – as technologies become mainstream attacks on it grow exponentially. With around 82% of all websites using PHP as the framework for web applications hackers naturally will see targeting PHP as a smart investment.
By Barry Shteiman, Director of Security Strategy at Imperva
Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly protecting high-value applications and data assets in physical and virtual data centers. With an integrated security platform built specifically for modern threats, Imperva data center security provides the visibility and control needed to neutralize attack, theft, and fraud from inside and outside the organization, mitigate risk, and streamline compliance. Over 2,700 customers in more than 75 countries rely on our SecureSphere® platform to safeguard their business. Imperva is headquartered in Redwood Shores, California. Learn more: www.imperva.com, our blog, on Twitter.