Websites across the globe face impending dangers from an unpatched vulnerability in the PHP scripting language that attackers are already trying to exploit to remotely take control of underlying servers, security researchers said.
The code-execution attacks threaten PHP websites only when they run in common gateway interface (CGI) mode, said Darian Anthony Patrick, a Web application security consultant with Criticode.
Sites running PHP in FastCGI mode do not suffer from the issue. Noone knows exactly how many sites are at risk, because sites also must meet several other criteria to be vulnerable, including not having a firewall that blocks certain ports. Nonetheless, sites running CGI-configured PHP on the Apache webserver are by default vulnerable to attacks that make it easy for hackers to run code that plants backdoors or downloads files containing sensitive user data.
Full details of the bug became public last week, giving attackers everything they need to locate and exploit vulnerable websites.
Exploits are already hitting servers that are part of a honeypot set up by Trustwave’s Spider Labs to detect Web-based attacks, said security researcher Ryan Barnett,. While some of the Web requests observed appear to be simple probes designed to see if sites are vulnerable, others contain remote file inclusion parameters that attempt to execute code of the attacker’s choosing on vulnerable servers.
“Because this is honeypot stuff and we’re not actually running all of these live applications, we can’t be sure what I’m showing actually would work,” Barnett said. “We just wanted to show that yes, bad guys are actively scanning for this.”
The open-source Metasploit framework used by hackers and penetration testers to exploit known vulnerabilities includes the exploit, providing a point-and-click interface for remotely carrying out the code execution attacks. In addition, it is easy to bypass an update PHP maintainers released late last week to patch the hole. That leaves vulnerable websites at risk even after applying the fix.
Patrick said websites that run PHP in CGI mode should install the update anyway and then follow several steps to mitigate their exposure, including applying a second patch published last week by researchers on Eindbazen.net.