homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

PHP.net Compromised
travelin cat

 7:59 pm on Oct 24, 2013 (gmt 0)

One of our research tools flagged php.net as distributing malware.




 8:11 pm on Oct 24, 2013 (gmt 0)

There is also a thread on this here:

php.net - Malware Warning in Google SERPs [webmasterworld.com]


 5:40 am on Oct 25, 2013 (gmt 0)

Other news outlets are picking up on this as well...

http://www.pcworld.com/article/2057980/phpnet-compromised-and-used-to-attack-visitors.html [pcworld.com]

PHP.net compromised and used to attack visitors

Visitors to the official website for the PHP programming language over the past couple of days might have had their computers infected with malware.

Hackers managed to inject malicious JavaScript code into a file on the php.net site called userprefs.js. The code made requests to a third-party website that scanned visitors' browsers for vulnerable plug-ins and executed exploits that, if successful, installed a piece of malware, said Daniel Peck, a research scientist at Barracuda Networks.


 10:39 am on Oct 25, 2013 (gmt 0)

I hit a very popular php site yesterday and my anti malware went off due to an attempted exploit. It is a very high traffic site. This js might be a popular one and I would assume they are all infected.


 4:42 am on Oct 26, 2013 (gmt 0)

Considering PHP sites are always being compromised maybe having the mothership itself corrupted will make them way up and clean up their act.


 12:44 pm on Oct 27, 2013 (gmt 0)

Considering PHP sites are always being compromised...

...because most sites use PHP.


 9:18 pm on Oct 27, 2013 (gmt 0)

This js might be a popular one and I would assume they are all infected.

It was a customized script that it's safe to assume is used only at php.net.

Considering PHP sites are always being compromised...

...because most sites use PHP.

Indeed, PHP is no more vulnerable than any language, and less than most.


 8:43 am on Oct 29, 2013 (gmt 0)

Yes, and no.

PHP has low barriers to learning: its very easy to learn incrementally - e.g. learn a bit to do Wordpress templates, then a bit more to write a simple plugin etc.

This means a lot of people who are not very good (lack the talent of commitment to be good developers) learn and use PHP.

It is much less likely that people would learn a language like Python without some commitment and discipline, and virtually impossible with, say, C++ or Haskell.

PHP has historically has some bad design in the language itself (e.g. register globals) and more in some software. Its improved a lot - especially if you use a good web framework.

I do not use PHP enough to judge how it compares to other LANGUAGES, but, I think, in general you should not use bare PHP (or any other language) but use it with a framework, as that takes care of a lot of work and security issues for you.

A good PHP developer would do a good job, but PHP has a higher proportion of incompetents, and the temptation to use it without a well tested framework or components. Of course that does not affect the ability of good PHP developers to do a good job.


 9:02 pm on Oct 29, 2013 (gmt 0)

Frameworks and users don't really have anything to do with the security of a language. That would be similar to saying that acme hammers are vulnerable to being used as murder weapons because more murderers buy them.

You're right that there are a lot of bad PHP programmers. But I don't see how it's more true of PHP than other languages. Python is a much more beginner friendly language. Chances are there are more proportionally more bad Python programmers, it just isn't as popular so you don't notice. And C/C++ are taught in basic programming classes where people learn only enough to be dangerous to themselves.

Frameworks are great for corporations or other environments where you need to a get a lot of people with varying degrees of skill doing the same thing consistently in a short amount of time.

Unfortunately another thing frameworks accomplish is to create less efficient applications that will ultimately end up requiring more hardware to serve the same traffic because the code they provide, by definition, has to use extra processor cycles in an attempt to be flexible enough to be one size fits all. Also framework code is reviewed and tested less than core language code even though in many cases it attempts to replace it.

Then, from a hacking perspective, Frameworks introduce new vulnerabilities. They mean you don't just have to target the OS, the language itself, or the individual application. You can also look for vulnerabilities in the framework provided code.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved