Akamai Diversity

The Akamai Blog

Manipulating PHP Superglobal Variables

Here at the Akamai Edge conference in Washington D.C., we're talking to customers about the latest attack techniques and how we're staying ahead of the threats. One example of what we're watching: a method where attackers are able to use vulnerabilities in PHP applications to exploit superglobals -- pre-defined variables in PHP -- to launch malicious code.

Attack details:

PHP superglobal variables have been a part of the language since version 4.1.0, which was released in December 2001. Superglobals are predefined array variables in the language that could be used in any PHP application on any platform running the language. These variables included $GLOBALS, $_SERVER, $_GET, $_POST, $_FILES, $_COOKIE, $_SESSION, $_REQUEST and $_ENV. The $GLOBALS array contains each of the values from the other eight superglobals just as the $_REQUEST also includes the values from $_GET and $_POST.

PHP had a directive, register_globals until it was switched to "off" by default as of version 4.2.0 (April 2002) and removed it completely as of version 5.4.0 (March 2012). When register_globals was set to on, developers could dynamically create new variables with global scope via the request.

Due to this scope, the values of the parameters were immediately available anywhere in the application. If the developer was not careful, a malicious user could change the behavior of the application by simply adding parameters into the Web page request.

Despite a series of fixes along the way, attackers continue to exploit old vulnerabilities using PHP's superglobals. One report showed a method where attackers chained together two known vulnerabilities to run remote code on a server.

How to tell if you're at risk:

Affected versions of phpMyAdmin are before 3.3.10.2 and before 3.4.3.1. This issue was patched by phpMyadmin in July 2011 as of versions 3.3.10.2 and 3.4.3.1.

Additionally, on August 20, 2010, the Mitre Common Vulnerability and Exposure database added CVE-2010-3065, which described a method by which attackers can alter serialized PHP session data on a server. Affected versions of PHP are 5.2.13 and earlier as well as 5.3.2 and earlier.

Fixing the problem:

The most important way to keep your applications safe is to keep them fully patched and at the latest install versions. The latest version of phpMyAdmin can be found at http://www.phpmyadmin.net/home_page/downloads.php and the latest version of PHP can be found at http://php.net/releases/index.php.

Don't leave third-party applications available to the public Internet. Place your company's single sign-on in front of it or put it on an internal network and require VPN to access it.

If your application requires the user be able to interact with a superglobal variable, take extra steps to ensure that the input is properly sanitized and validated, to avoid any malicious input. If possible, don't use superglobals at all in the application.

For Akamai customers, we've created a custom WAF rule to prevent superglobal variable manipulation.

Leave a comment