Race condition in applicazioni PHP

A web programmer often conceives its application as a se- quential entity, thus neglecting the parallel nature of the underlying exe- cution environment. In this environment, multiple instances of the same sequential code can be concurrently executed. From such unexpected par- allel execution of intended sequential code, some unforeseen interactions could arise that may alter the original semantic of the application as it was intended by the programmer. Such interactions are usually known as race conditions.

In this paper, we discuss the impact of race condition vulnerabilities on web-based applications. In particular, we focus on those race conditions that could arise because of the interaction between a web application and an underlying relational database. We introduce a dynamic detection method that, during our experiments, led to the identification of several race condition vulnerabilities even in mature open-source projects.