PHP features a scripting language that is essential in the development of websites. It is primarily embedded in HTML and when used in a CGI configuration, PHP-CGI receives command-line arguments which allow the passage of command-line switches like -c, -d, and -s. The switches can then pass to the PHP-CGI binary that hackers can exploit to gain access to source code. The adoption of protected coding techniques is essential to your website security; it helps secure it from cybercriminal attacks. In this post, we will examine PHP CGI remote code injection vulnerability and how to protect your website from it.

Web servers use an interface called CGI in the execution of programs that dynamically generate web pages. It is mainly used in servers responsible for the creation of personalized responses based on the user's request.

When you create a website, CGI works as a control tool that works in collaboration with a supporting web server. The name of the CGI application should be designated in the specific URL. This way, the gateway program can use the URL to send the program's specific parameters.

CGI works by passing essential data from one application that consistently processes data to send information back continuously. The individual who writes a specific application has the ability to use it regardless of the operating systems the server uses.

PHP-CGI is a protocol that transfers information between a CGI program and a web server. It is possible for one to execute PHP scripts with the aid of a CGI application. However, the process is inefficient and many choose not to use it.

A PHP script affected by a bug cannot affect any files outside its hosting domain. This serves as a key advantage of PHP-CGI, meaning that the execution of code is kept separate from a particular web server. A key disadvantage of using PHP-CGI is that it is an inefficient process that requires the user to create a new process every time they need to execute a PHP code.

When you run a PHP-CGI, it means that your web server has the knowledge of the PHP file that needs to be executed. The web server can then begin the execution, meaning that the script that you called will load every time a user visits your website.

Hackers can use code injection to introduce malicious codes into your CGI RCE program. Cybercriminals use an attack vector as a vulnerability to compromise a CGI application's integrity. They can then send PHP codes that are executable in the user's browser or in the application itself.

PHP-CGI doesn't provide an escape plan that is custom-built for JavaScript. This means that the processing of the vulnerability will occur in the PHP runtime. The execution takes place on the user's website or in the server itself.

In the image below is an example of malware where hackers use a Microsoft network to upload and execute Anubis malware into a vulnerable website:

Improving your website security is essential to protect it from hackers. Here are five ways to protect it from PHP CGI remote code injection.

1. Only Using Strong Sanitization Techniques

Handling and sanitization are two methods that are essential to the security of the PHP-CGI application. Each time you accept a particular input from a user, you need to validate and process it in a method that does not put you at risk of cyberattacks. Every input becomes a vulnerability that can act as an attack vector if you don’t use proper security measures.

strip_tags() is a function that is used for sanitization. However, it is not effective because it only works by stripping the PHP and HTML from multiple user inputs. This means that it is possible for SQL and JavaScript to possess malicious inputs even when the function is used.

Another ineffective function is htmlentities(). This function only attempts to displace inputs that don’t match with any of the UTF character sets. In fact, hackers can introduce malicious code into your application even when you use the function. This renders it ineffective in dealing with remote code injection.

2. Utilize a PHP Security Linter

A linter serves as a tool that can scan codes for security vulnerabilities and errors. PHP comes with a built-in linter that can help you in running the PHP -l command. One disadvantage of using a linter is that it only possesses the ability to check each file independently, which can be time-consuming.

An alternative that one can consider is the PHPlint which can check numerous files at a time. A key benefit of using PHPlint is that it has the capability to analyze both PHP 7 and PHP 8 and provides a comprehensive output highlighting all flaws.

3. Steer Clear of shell_exec(), exec(), system() and passthru()

A good strategy to protect your website from PHP CGI remote code injection is through avoiding the use of commands that can call the operating domain from the PHP directly. If you continue to use such commands, the attackers can take advantage of your server stack and perform malicious actions that will likely affect your website’s security.

Functions like shell_exec(), system(), exec(), and passthru() have widely been used in decompressing and compressing files and folders. The use of these functions can lead to severe vulnerabilities, especially when they meet user inputs from attackers.

There are functional operators that have been integrated into PHP like escapeshellarg() that can be utilized to sanitize user inputs before they reach essential functions. However, note that using these functions does not mean that your website is 100% safe from malicious hackers.

4. Always Use Software From Established Content Management Systems

It is difficult to keep track of each code, and one way to solve the issue is to use reliable and trustworthy Content Management Systems (CMS). WordPress is a good example of a reputable CMS that you should consider.

Using trusted CMS means that you have regularly updated software you have the power to discover vulnerabilities with ease. Developers work ²⁴⁄₇ to detect and solve any security vulnerabilities that can affect your website, including plugins and themes.

The use of CMS application protects your website from injection attacks. The query has the ability to notify the application early in advance of the particular query type that it will run. The application can then identify and remove commands that can act as vulnerability exploits.

5. Identify Code Injection Vulnerabilities Using Static Application Testing Tools

Static application security testing (SAST) is a testing procedure that helps in examining the particular source of a code to identify possible vulnerabilities. The scans can play a key role in identifying malicious code before it is successfully compiled.

PHPStorm is an example of a common Integrated Development Environment (IDE) that comes with built-in features that can examine possible code injection problems. PHPStorm comes with Xdebug which is an option that you can use in profiling and linting to prevent any coding errors and bugs.

SAST can assist in protecting your website from security vulnerabilities by identifying the issues in advance. It makes the navigation process easy, as you don’t have to worry about security vulnerabilities that can pose a risk to your domain’s security.

Another advantage of using SAST to prevent remote code injection is that you don’t require a lot of expertise to fix the coding issues. The tools provide you with regular guidance on how to fix the issues without the help of a domain expert.

Website developers rely on SAST tools because they provide them with customized reports; they can export or track these reports with the help of dashboards.

For the SAST tools to be effective, they need to run regularly on the application. They must run daily, every time there is a new user input, each time that a particular code checks in, and when the code is released.

Quttera is a global leader when it comes to providing website protection solutions. Our solutions have the capability to block any malicious requests or visitors from gaining access to your website.

Our team provides the best DNS WAF services to drop malicious requests before they gain access to your website. In such a scenario, endpoint WAF becomes ineffective because any malicious request will first be handled by PHP that is vulnerable before being forwarded to your PHP application.

We continually improve our detection methods over time. We also embrace innovation to adapt and find better ways of detecting and protecting our clients from malware threats.

Contact us today to inquire how our experts can help protect your website from PHP CGI remote code injection vulnerabilities. Sign up for ThreatSign to activate a next-generation firewall.