ZDNet UK / News and Analysis / Application Development

Worms will breed in PHP hole, say experts

By Staff, CNet, 5 March, 2002 09:36

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Hacking, php security hole, php viruses, php worms

NEWS
With a survey estimating that a million Web sites are vulnerable to a set of newly discovered scripting flaws, security experts are predicting that a worm that uses the software bugs to spread could be on the way. As previously reported, the flaws occur in Web server modules using the Personal Homepage scripting language, more commonly known as PHP. The language is widely used among sites built on open-source software and allows such sites to create Web pages on the fly. David Dittrich, senior security engineer at the University of Washington, stressed that while the technical nature of the flaws would make creating a worm more difficult, the Net is rife with groups that have the wherewithal and knowledge to pull off the job. "It's just a matter of time before someone does a worm," Dittrich said, adding that systems administrators who have Web sites running a flawed version of PHP should patch their version as soon as possible. Last Wednesday, a member of the PHP Group posted details of a handful of flaws that could be exploited to take over Web servers that use version 3.0.10 to version 4.1.1 of the PHP software. By gaining control of the Web server software, attackers could deface any sites hosted by that server or take advantage of their position to issue system commands to the server. Two days later, UK-based Internet research group Netcraft released its monthly survey of Web sites, indicating that nearly 8.4 million sites were hosted by servers that use a vulnerable version of PHP. One million of those sites are vulnerable to attack, the survey said. Based on that data alone, the PHP flaws could be as dangerous as the indexing server ISAPI filter flaw in Microsoft's Internet Information Server that made the Code Red worm possible, said Marc Maiffret, chief hacking officer for network protection company eEye Digital Security. "This could easily turn out to be a Code Red or bigger if someone is so inclined," Maiffret said. eEye initially identified the indexing server flaw in April and notified Microsoft. When the software giant announced the flaw in June 2000, Netcraft's survey indicated that nearly 6 million sites on the Internet could be vulnerable. Sites do not directly correspond to servers, however, and it's not known how many of those sites were actually vulnerable. What is known is that on July 19, 2000, nearly 360,000 servers were compromised by a modified version of Code Red, according to the Cooperative Association for Internet Data Analysis. Evidence at the time indicated that the worm saturated the Internet, infecting almost every server that was vulnerable and accessible. There may be hints that just such a worm is already under development in the Internet underground, Maiffret said. A program that makes use of the vulnerability to compromise systems, a tool known as an exploit, has been circulated among security professionals and hackers on the Internet. One part of the code includes a function to generate random Internet addresses, useful to a worm program or automated scanner for selecting the next victim from the Internet at large, Maiffret said. The actual exploit apparently doesn't use the function, leaving some security experts speculating that it could be part of an unfinished program. "Right now, we're waiting to see what happens," Maiffret said. "Nothing so far, but everybody is watching for it." Online vandals intent on building such a worm will not find the job easy. Where the index server ISAPI flaw could easily be exploited by a simple program, an online vandal looking to create a PHP worm would have a lot more work to do, said Rasmus Lerdorf, a PHP project member. Because different versions of the software are susceptible to a different subset of the flaws, a worm would have to be programmed to detect the configuration of each host and attack with the right piece of code. "They would have to write four or five exploits," Lerdorf said. "They would need to know a lot more. All you had to do with the (Code Red flaw) is put colon-colon after a URL, and poof, you screw up the Web server." In addition, Web servers typically run with limited privileges, not in "super user" mode, which allows nearly unlimited privileges to those with access. On properly secured servers, that difference could make it much more difficult to control the infected computer. That may play in the favor of PHP-enabled Web site administrators, said Stefan Esser, another member of the PHP Group and the author of the advisory on the scripting flaws. "PHP is an open-source project, and users of open-source products are often--in my experience--more aware of security issues than users of Microsoft products," Esser said. "I am pretty sure open-source users will upgrade faster than Microsoft users. The most important sites all have upgraded by now." Still, to stop potential worms from affecting the Internet, more than just the major Web sites need to upgrade.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section. Have your say instantly, and see what others have said. Go to the Security forum. Let the editors know what you think in the Mailroom.

Related stories

PHP virus sparks debate

Scripting flaw leaves sites vulnerable

Perens: Linux could learn from Apple

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

5 minutes ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

10 minutes ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

55 minutes ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

1 hour ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

1 hour ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

2 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

2 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

5 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

6 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

6 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

7 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

8 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule
Marcus Karlsson

Any update on this, considering the claimed "first week of February"?

10 hours ago by Marcus Karlsson via Facebook on Archos confirms G9 Ice Cream Sandwich update schedule
apexwm

Bill Goodrich : Just as al_langevin pointed out, with Windows Server 2008 there is no Services for Macintosh anymore. It's gone, not available....

18 hours ago by apexwm on Windows Server 2008 drops the ball for Mac compatibility
txtrainguy

Replying to an old topic that I'm currently facing with my CEO (who is on a Mac). Our servers are primarily Windows Servers, office is about...

1 day ago by txtrainguy on Windows Server 2008 drops the ball for Mac compatibility
k0tcs3

Sure, that makes perfect sense. Pay wrong-doers money and thank them for breaching your security and pointing out your flaws, that would surely...

1 day ago by k0tcs3 on US indicts Romanian over NASA climate change hack
Random_Error

I think he's referring specifically to Android apps, as Apple do regulate their App Store, but Google seem to let any old crap onto the Android store!

1 day ago by Random_Error on RIM: BlackBerry will keep 'garbage' apps out of store
Paul Fezziwig

Keep the crap apps out?! How will they compete with Android and Apple's claim to fame of having so many life changing apps? I wonder if the media...

1 day ago by Paul Fezziwig via Facebook on RIM: BlackBerry will keep 'garbage' apps out of store
Aigars Mahinovs

It has been shown time after time that if there is an author store that sells the songs at even 1$ per song and gives you a high-quality digital...

1 day ago by Aigars Mahinovs via Facebook on Copyright isn't working, says European Commission
awbMaven

""As a result of Butyka's alleged conduct, researchers were unable to use the computers for more than two months while NASA removed the malicious...

1 day ago by awbMaven on US indicts Romanian over NASA climate change hack

Latest in Application Development

Perens: Linux could learn from Apple

Featured white papers

10 safety tips for business in 2012

Symantec.cloud

10 safety tips for business in 2012

From cloud computing to remote working, your business should consider these ways to keep your business secure as traditional IT... Read more

Deliver easy email search, storage and retrieval systems

Symantec.cloud

Deliver easy email search, storage and retrieval systems

Are you storing up trouble? There is a better way to manage corporate email storage on every level, for every size and type of... Read more

Defining your data demands in simple steps

Symantec.cloud

Defining your data demands in simple steps

Data growth provides vital resources for your business, and you can manage its enormity through some simple... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

Case study: How cloud enables growth

Case study: How cloud enables growth

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault