Mitigate enterprise risk from PHP hyper-global variables

This article describes the vulnerabilities of PHP applications and how attackers can use PHP hyper-global variables to perform web attacks. And explain what is the PHP Super global variable and the risks it poses. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' border= ' 0 "alt=" mitigate enterprise risk from PHP hyper-global variables "src=" http:// S2.51cto.com/wyfs02/m02/30/69/wkiom1onk7lbnsleaaaiovbsays736.jpg "width=" "height="/>Nick Lewis (CISSP, GCWN) is an information security analyst. He is primarily responsible for risk management projects and supports the technical PCI compliance program for the project. Nick received a master's degree in telecommunications from Michigan State University in 2002 and a master's degree in information security from Norwich University in 2005. Before joining the current organization in 09, Nick worked at the Boston Children's Hospital, the Harvard Medical School's junior pediatric teaching hospital, and Internet2 and Michigan State University. Q: I've heard a lot about vulnerabilities in PHP applications and how attackers can use PHP hyper-global variables to perform web attacks. Can you explain what is the PHP Super global variable and the risk it poses? A: First, let's take a look at the background: the hypertext Preprocessor (PHP) has existed for more than 10 years and is by far the most important Web application programming language. Its initial design considered functionality and ease of use. However, although PHP has been used for so many years, it has a "dirty" security hole record. Researchers have even created hardened PHP projects to help businesses protect applications and Web pages. Although we have discovered and fixed many PHP vulnerabilities, many of these vulnerabilities pose a threat to many common Web applications and require Web application developers to be able to use the latest version of PHP. Other programming languages, such as Microsoft's active Server pages or ASP, do not have these types of vulnerabilities and therefore do not require developers or system administrators to always use the latest version of the language to keep the application secure, reduce the need for upgrades and training, and thus reduce development costs. No matter what programming language you use, we still need to use security development practices. In August 2000, PHP hyper-global variables were introduced to disable the PHP register global feature because it created significant security issues for PHP and Web applications. PHP Hyper-Global variables are built-in variables available in PHP scripts that store data that can be used throughout the script. Because of unsafe design, this deprecated feature is widely abused by attackers. Application Security Vendor Imperva describes the risks associated with hyper-global variables in its reports. One of the risks is that hyper-global variables can be entered into malicious data, which can then be exploited in an insecure manner by attackers. Two key information is that, as Imperva points out, for any PHP application, there is no reason to provide hyper-global parameters, and requests that applications provide these parameters should be blocked. To do this, check to make sure that your Web application firewall deploys rules to automatically block these requests, and that when this happens, an alert should be issued, as this is likely to be the hallmark of a targeted attack. "Editorial recommendations" how to deal with Web attack protection blind spot Web attack Ten reasons Web attack, how to break? "Responsible editor: Blue Rain Tears TEL: (010) 68476606" Original: Ease the enterprise risk of PHP hyper-global variables return to network security home