Sites Developed with PHP Vulnerable to Attack

Sue Marquette Poremba
Slide Show

Cyber Criminals Targeting High-Profile Brands and Keywords to Undermine Users

Want to make sure your computers are safe from attack? Don't go on the Web.


OK, I know that's virtually impossible in today's world. I know I certainly couldn't make it through my work day without it. But a new report from Imperva found that the most vulnerable areas of websites are a serious security hole.


Imperva's Hacker Intelligence Initiative report looked at how local and remote file inclusion (RFI/LFI) attacks enable hackers to execute malicious code and steal data by manipulating a Web server. According to the report:

RFI/LFI has not been taken seriously by the security community. In real-world hacking attacks, RFI/LFI attacks made up 21 percent of all observed application attacks.
For hackers, RFI/LFI attacks are very attractive since they target PHP applications. With more than 77 percent of today's websites running PHP, RFI should be on every security practitioner's radar but isn't.

RFI/LFI attacks are a hacker's playground. These attacks take advantage of the PHP applications by using a URL reference to remotely host arbitrary code. PHP is used in a lot of sites, including some of the most popular sites out there, like Facebook, Wikipedia and Wordpress. The application is an easy door for hackers to enter, and the vulnerability has been used by hacking groups like LulzSec.


Or, as Tal Be'ery, Imperva's senior Web researcher, explained in a release:

LFI and RFI are popular attack vectors for hackers because it is less known and extremely powerful when successful. We observed that hacktivists and for-profit hackers utilized these techniques extensively in 2011, and we believe it is time for the security community to devote more attention to the issue.

The report provides an approach for protecting yourself against RFI attacks, as well as examples of real-world attacks and what they looked like. Imperva just provided a suggestion on how to slam shut one of those entries of easy access.


After every hack, security experts tell me that the vulnerability exploited could have easily been closed, and that groups like Anonymous and LulzSec are looking for those easy little mistakes to exploit. That's why it is important for security personnel to be ahead of the game and lock shut those easily opened security holes.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Apr 12, 2012 7:02 PM Marie Marie  says:

This article resonated with me.  I recently had a php site that got hacked and malware was installed and now it is a nightmare to get rid of it!

May 2, 2012 10:04 AM mbragi mbragi  says:

I agree with Marie PHP sites are more vulnerable to hacker attacks.

Dec 5, 2012 11:43 AM Kevin Loyed Kevin Loyed  says:
I agree that content is totally king. And that is really great. These times you can focus and do something sensible. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.