22 Months and Counting of Websites Being Stolen as PHP Exploit Lives On

Websites with PHP versions dating back before 5.3.12 and 5.4.2 are at risk of being exploited. This exploit can cause the attacker to steal their website from them. This also puts the end user at risk.

You need to know about this exploit as it’s gone unnoticed for a long time now. You also need to understand how it can cause backdoor entry for the attacker and how the site owner can patch it if their website is at risk.


Photo: GeorgejMcLittle / Shutterstock

What is the Exploit?

The exploit is a vulnerability in the PHP code. It is a vulnerability that was first warned about nearly two years prior. The warning stated that the vulnerability could be used by an attacker for the purpose of processing malicious code on any at-risk servers.

This vulnerability was limited to older PHP versions, but many websites and servers still operate with this same code. This particular vulnerability would only be activated in common gateway interface. This is a default for anyone using Apache Web server.

The exploit is indexed as CVE-2012-1823

The vulnerability ranks a 7.5 out of 10 on the CVE Details website. Most notably, there is partial impact towards information confidentiality, integrity, and availability. This means that the attacker can access a substantial amount of information. This means that the attacker can modify certain information and system files, but the attacker cannot choose what is modifiable. This also means that the attacker can cause your website to operate with poorer performance and potentially cause availability interruptions.

How Does This Exploit Work?

The main takeaway after 22 months of consecutive existence (with warnings) is that even though it’s a relatively old exploit, it is still being used by Internet criminals. This goes to show that criminals realize that many users of PHP do not undergo routine version updates, which puts them at risk of this particular vulnerability.

A few researchers made an effort to further understand the exploit. A honeypot server was created to get a better understanding on the severity and frequency of these attacks. There was a total of 324 different IP addresses which exploited vulnerabilities in the honeypot server.

Very obscure and unclear code was used by the attackers to disguise the attack. After putting the scripts into human-readable form, it was found that the scripts caused the downloading of executable files off of a remote server. These executables would be automatically ran and then deleted off of the server to completely disguise the attack.

These malicious attacks went unnoticed internally due to the concealment methods that were used. This caused system compromises, most of which continued to go unnoticed until they caused their own harm.

What Can This PHP Vulnerability Cause?

To put it simply, a malicious attacker that exploits this PHP vulnerability can essentially cause an otherwise trusted website to turn into a malicious end user attacking platform. It causes the affected website to attack its end users and in some cases it targets other websites as well.

A recent statistic claimed that about 16 percent of PHP versions are currently operating with a vulnerable version of PHP. This is not necessarily a 100 percent accurate number, but it goes to show that there are a lot of site owners that are not updating their websites as they should.

The malicious intents of these attackers will vary. Some pose more of a threat than others. What remains true is that anyone vulnerable to one of these attacks is vulnerable to all of them. This means that while you may not immediately experience compromises of your website, you are still at risk if you are not protecting yourself from this vulnerability.

How Can PHP Vulnerability Risk Be Eliminated?

Many are being encouraged to follow up on the latest PHP news and developments. This will keep them in touch with the changes between versions of PHP. Following the updates will also allow them to know exactly why a version change is important – this means that you will know if a potential vulnerability has been found and needs to be patched.

It will be your job to patch these updates. This will allow you to make sure that you are not at risk of the exploit. Patching them simply requires an update to a more recent version of PHP. For the most part, running the most recent PHP version is suggested.

It can be a pain to have to update your website’s PHP and for the average person it may become too complicated of a task. However, for security purposes – especially for any site owners with a lot of end users or sensitive data – updating your PHP to protect your website from all vulnerabilities is very important.