Wednesday, April 18, 2007

PHP Applications and Vulnerabilities

Every day we sift through an avalanche of newly found vulnerabilities in PHP applications and they all come down to improper sanitization of user-supplied input. Until our Universities are teaching secure coding techniques in Computer Science 101, we'll be in this situation for a long time. But that's a rant for another day.

Here's an example list of vulnerability announcements of PHP application over the last 24 hours:

• EclipseBB Phpbb_Root_Path Remote File Include Vulnerability
• Extreme PHPBB2 Remote File Inclusion
• Zomplog File.PHP Directory Traversal Vulnerability
• Joomla Template Module Index.PHP Remote File Include Vulnerability
• Gizzar Index.php Remote File Include Vulnerability
• Joomla/Mambo JoomlaPack Module MosConfig_Absolute_Path Remote File Include Vulnerability
• Cabron Connector InclusionService.PHP Remote File Include Vulnerability
• Wabbit PHP Gallery v0.9 Cross Site Scripting
• ActionPoll Script (actionpoll.php) Remote File Include
• LS simple guestbook - arbitrary code execution
• MyBlog <= 0.9.8 Remote Command Execution Exploit
• my little forum 1.7 Remote File Include Vulnerability
• PHP Nuke <= SQL Injections and Bypass SQL Injection Protection vulnerabilities
• Directory traversal vulnerability in Kai Content Management System (K-CMS)
• Directory traversal vulnerability in Monkey CMS 0.0.3
• Cross-site scripting (XSS) vulnerability in OpenConcept Back-End CMS 0.4.7
• PHP remote file inclusion vulnerability in chat.php in MySpeach 1.9
• Multiple PHP remote file inclusion vulnerabilities in CNStats 2.9
• ... and more!

Remote file inclusion, remote code execution, SQL injection, directory traversal, and cross site scripting vulnerabilities are running amok in PHP programs.

Ed Finkler at CERIAS took the time to sort through the NIST vulnerability data and come up with the top 20 offending PHP programs by score and by volume of advisories. This is skewed, of course, because programs not being prodded could be just as vulnerable, but less visible. Just the same, it's pretty interesting. Here are the top 5 by number of entries:
  1. MyBulletinBoard
  2. phpBB
  3. phpMyAdmin
  4. WordPress
  5. PHPNuke

The top 20 is even more enlightening if you happen to use some of those products (like VBulletin, Jupiter CMS, Joomla, and TikiWiki).

Anyone running this kind of software should be doing frequent scans of their files to make sure they haven't changed without their knowledge, frequent downloads of their website to make sure people haven't added code, and should make sure that their web server is isolated from sensitive parts of their network.

Note from the sponsor:eSoft's Intrusion Prevention Softpak has generic and specific detections for a number of common PHP vulnerabilities.

No comments: