PHP is one of the most popular programming languages used worldwide. It powers around 80% of the web, including popular content management systems like Drupal and WordPress. However, like everything else, this programming language is not safe from cyberattacks.

Outdated PHP versions are the biggest threats

PHP is evolving, and when developers use an outdated version of the language, they expose their websites to security risks.
  • Citing the seriousness of such threats, researchers recently traced more than 80,000 web servers that used unpatched versions of PHP, making them vulnerable to a variety of cyberattacks.
  • Some of the known vulnerabilities that affect these unpatched versions include cross-site scripting (XSS) and SQL Injection (SQLi) vulnerabilities.
  • These flaws can be exploited to gain unauthorized access to the sites, modify their content, and steal user data.

A potential source of supply chain attacks

The effectiveness of a software supply chain attack depends on how unsecured third-party software is and PHP, the open-source code, is no exception to this. This can ultimately allow cybercriminals to achieve access, conduct espionage, and enable sabotage by targeting the development lifecycle of a product.
  • In the first week of May, security researchers raised an alarm about a decade-old supply chain flaw in the PHP package manager that could have put millions of websites at risk.
  • Although there is no evidence of abuse of the vulnerability, the overall popularity of PHP, combined with the number of PHP projects that use Composer, increases the risk of cyberattacks if the flaw is not patched in time.
  • In another incident, the attackers had compromised a server of the PHP project to upload two malicious commits, including a backdoor.
  • The commits were pushed to the php-src repository, thus fueling an opportunity for supply chain attacks that further compromised more websites.

PHP also makes ways for skimming attacks 

  • The ever-evolving web skimming attacks observed new activity from Magecart Group 12 that leveraged PHP web shell to launch card skimmers.
  • The web shell, known as Smilodon or Megalodon, was used to dynamically load JavaScript skimming code via server-side requests into online stores.
  • It was disguised as a fake favicon image to prevent the detection of the skimmer.

A simple solution

Leaving software unpatched makes one a sitting duck for malicious actors, and can come back to haunt one in more ways than one. The only solution to this particular problem is rather simple: keeping software up to date. In other words, hardening the security of software is definitely worth the hassle.

Cyware Publisher