Security holes in PHP-based content management and forum apps are an increasingly active front in Internet security, as hackers target unpatched weaknesses. The latest example is Monday's hack of chip maker AMD's customer support forums, in which an older version of Invision Power Board was compromised and used to distribute malware using the Windows Metafile (WMF) exploit.
While Windows flaws like the WMF vulnerability are useful to hackers assembling armies of compromised desktop computers, security holes in PHP applications provide access to more powerful servers hooked directly to high-speed network connections.
Internet criminals have targeted unpatched vulnerabilities in open source CMS apps including phpBB, PostNuke, Mambo, Drupal and others, hoping to build botnets for use in phishing scams and distributed denial of service (DDoS) attacks. Compromised web forums hosted more than 600 phishing spoof sites identified by the Netcraft Toolbar Community in 2005 (as noted in our Year in Phishing roundup).
The DDoS capabilities of server-based zombies was demonstrated in a December attack by a large botnet of Linux machines, in which attackers flooded their target with more than 6 gigabytes of data per second. Hosting providers with multiple IP addresses being used in the botnet included Level 3, Savvis, AT&T WorldNet, 1&1 Internet, Interland and The Planet. The network used in the December attack was assembled by exploiting known security holes, including a vulnerability in the Limbo CMS that had been patched at least six weeks earlier.
The growth of PHP-based content management systems is a testimony to the success of the open source movement, which has created a lengthy list of powerful, user-friendly applications that can be installed by web site operators with little or no PHP coding experience. Active support communities for these projects offer templates and mods for easy customization, and mobilize to deploy fixes for security holes.
But as is the case with most web software, a significant number of users fail to install security patches in a timely fashion. This provides an opportunity for hackers, who typically use public advisories to identify security flaws in specific programs and files, and then query search engines to locate vulnerable versions of the software.
Some programs with consistent security problems continue to grow in popularity. The open source bulletin board system phpBB has experienced a series of security problems, and has been banned by some web hosts. The MSN search engine recently began returning no results for the search term "phpBB" to deter hacker scans. That hasn't prevented a 79 percent increase in active sites using phpBB between June and December of 2005, according to data from our Web Server Survey and related datasets.
Most of the security issues with PHP-driven programs are found not in PHP itself, but rather in the libraries and applications built atop the server-side scripting language. The most widespread of these, a flaw in XML-RPC libraries identified in July, affected a lengthy list of popular programs including WordPress, Drupal, PostNuke, Serendipity, phpAdsNew and phpWiki. More than four months later, hackers were actively targeting the flaw.