The Top 5 Open Source PHP Software Security Holes

Hiveminds | Sat, 2006-07-22 15:19 tags: PHP, Security, Software

leave a commentsubscribe to feedfriendly: printshare: delicious, digg, reddit, icerocket

What are the top five open source PHP software exploits? In order

Fantastico
Installatron
Users
Web hosting services
Laziness

Fantastico and Installatron are by far the worst culprits in the recent attacks on Joomla and other PHP software. Why? because although most PHP projects have security updates these updates do not reach the auto-installers soon enough. If and when they do reach the auto-installer software there is another hop for them to reach the web hosting service. Web hosts must be aware and update often.

Hackers know that auto-installation software exists and there are many that use it. They also know auto-installers do not update their software frequently. Auto-installers do not make the end user aware of the possibility that the software they are installing may have a security hole or other problems that may make their website a high security risk.

Users that use Installatron or Fantastico usually do so because they are not knowledgable enough about PHP and MySQL to do the installation themselves. In some cases the end-user is taking advantage of a convenience. That convenience is not such a convenience later when the user must surf to the sofware projects web site and learn all about how to update what they have just installed. So most don't. Those that try to upgrade to get the most secure version might be frustrated by the fact that the upgrade process is difficult, possibly more difficult than the original installation process without the use of an auto-installer.

Let's talk about laziness. In a perfect world everyone would be active when they should be. But that world is not the world of the internet. People that use the internet and work the internet are inherintly lazy. They want to take the easy way out. This is what makes the web the web. Laziness and convenience. So one can hardly blame anyone for joining in on the fun. The problem is when it comes to security laziness leads to disaster.

To close these security holes you have to stop being lazy. It requires that web hosters take initiative and make their account holders aware of the pitfalls of using and being dependant on auto-installation software. Auto-installation software makers are going to have to come up with a better system for upgrading and distributing those upgrades to web hosting companies. While a new system may take awhile in coming one thing software makers and web hosts can do in the short term is post the versions of software at their web sites along with any available security news. Here is a screenshot from a web host website taken just minutes ago. Here you can see that the version numbers of Drupal and Xoops are a bit behind although the latest versions have been available for weeks. Even phpBB the hot ticket on a hackers list is behind.

It's an evil circle. While I can appreciate that it takes time to update software. What are website owners to do in the meantime? If they update on their own then they have to continue to do so. Fantastico and Installatron will not take over and do updates. This is even if the website owner does know how to do the update. How about the web host? What is they do find out that there is a serious security hole in software used by a 500 websites that used an auto-installer? They can't turn them off without starting an angry mob nor can they do 500 manual upgrades without problems. Waiting for the auto-installers software maker to update means that they are sitting on 500 ticking bombs that could effect hundreds or thousands of account holders if they go off!

Here is a list of PHP software that is being worked on by Fantastico but not finished. If you look at the dates and versions you will see that a hacker gets a good amount of time to come up with an exploit.

Lastly website owners are going to have to be more savy and involved in running their websites. What they should be doing, if they cannot do it themselves, is finding a good web developer or web designer that can handle things for them. Someone or a group that can keep up the on the latest security fixes. It's either this or go back to using static HTML pages. Website owners can no longer just click once and sit back and wait.

Happy Publishing!