Many still haven’t patched PHP vulnerability, say researchers

Here’s another reminder of how important it is to update everything under your control.

Researchers at a security vendor say a public exploit in the popular PHP scripting language used by many companies for writing Web applications is still being used some 22 months after being discovered. The exploit, which allows hackers to remotely take control of Apache servers, is still being used by attackers according to a blog posted Thursday by Imperva.

Briefly, the vulnerability in older versions of PHP allows attackers to place command line options in the query string, including one that can manipulate PHP security settings that bypass security checks and allow remote code execution.

Imperva researchers believe the sophistication of the 43 different types of payload data in the attacks its honeypot attracted suggests bot herding is going on, where the Internet is being scanned for servers exposed the vulnerability to infect them with bot clients.

Yet while the vulnerability was announced in 2012 and an exploit discovered last October, there are still a number of unsecured servers.

As the blog notes, it shows cybercriminals understand how long it takes between the time a vulnerability is publicized and the time it is patched.

Read the blog here

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web