Imperva calls for removal of PHP 'SuperGlobal' feature

Imperva calls for removal of PHP 'SuperGlobal' feature

Summary: Although the security concerns are now over two years old, Imperva has called for the removal of one of PHP's features that could allow attackers to take over servers.

SHARE:

Research company Imperva is calling for the removal of a feature in PHP, citing that it opens the door for attackers to turn servers across the globe into their own botnet army.

In a report (PDF), the company takes particular issue with the use of PHP's "SuperGlobal" parameters and how they can be abused.

The vulnerability described in the report is not particularly new, and requires chaining together vulnerabilities CVE-2011-2505 and CVE-2010-3065 in order to execute arbitrary code on a server, with CVE-2011-2505 first disclosed in July 2011 and CVE-2010-3065 in August 2010.

Combined, they allow attackers to modify the SESSION SuperGlobal variable, and write data to a local file on the server. This file will be later parsed and executed by PhpMyAdmin, a popular web-based tool used to manage MySQL databases, allowing the attacker to execute any code they wish.

However, the company considers the use of SuperGlobal parameters, which enable both vulnerabilities, to be overpowered, and is advocating for their removal.

"SuperGlobal parameters in requests should be blocked — since there is no reason for these parameters to be present in requests, they should be banned," the report says.

Topics: Security, Software Development, Web development

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Please don't make fluff statements

    They have not recommended anything like what you say, what they said was that requests, either in the URL like 'http://example.com?some_attack_variables' or via a POST request should not be able to change values in the _SESSION/_SERVER/etc system variables.

    What they said was "SuperGlobal parameters in requests should be blocked" this is correct and doesn't mean what you wrote!
    jenolan