Stories
Slash Boxes
Comments

SoylentNews is people

posted by Blackmoore on Wednesday January 07 2015, @10:02PM   Printer-friendly
from the all-your-base dept.

Over three-quarters of all installs are insecure, research shows

The Register -Want to have your server pwned? Easy: Run PHP

More than 78 per cent of all PHP installations are running with at least one known security vulnerability, a researcher has found.

Google developer advocate Anthony Ferrara reached this unpleasant conclusion by correlating statistics from web survey site W3Techs with lists of known vulnerabilities in various versions of PHP.

What he found is that many, many PHP-powered websites are using insecure versions of the interpreter – so much so that it's actually easier to find an insecure PHP setup on the internet than a secure one.

"This is absolutely and unequivocally pathetic," Ferrara wrote.

The two most popular PHP releases, according to W3Techs' statistics, were versions 5.2.17 and 5.3.29. Together, they accounted for 24 per cent of the total – and both are insecure.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by darkfeline on Wednesday January 07 2015, @10:34PM

    by darkfeline (1030) on Wednesday January 07 2015, @10:34PM (#132739) Homepage

    That's what PHP calls a double colon, by the way.

    Unless you need to use software that is written in PHP, you shouldn't touch it with a yardstick. There are many options, all of which are superior, if only for the reason that they were created by people who have some idea what they're doing: Python (Django), Ruby (Rails), even CGI scripts or Golang.

    Want to know how deep the rabbit hole goes? First, there's the fact that double colons are called T_PAAMAYIM_NEKUDOTAYIM by the parser, so better brush up on your Hebrew if you run into a parse error. Second, there's this pathetic attempt at fixing an overflow: http://use.perl.org/use.perl.org/_Aristotle/journal/33448.html [perl.org] Finally, there's this long checklist of crimes against programming if you aren't scared off yet: http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/ [eev.ee] (Note the date, some of these have probably been fixed, although keep in mind how the PHP devs fixed that integer overflow up there).

    --
    Join the SDF Public Access UNIX System today!
    • (Score: -1, Troll) by Anonymous Coward on Wednesday January 07 2015, @11:03PM

      by Anonymous Coward on Wednesday January 07 2015, @11:03PM (#132746)

      So what you're saying is that JEWS DID PHP

    • (Score: 0) by Anonymous Coward on Friday January 09 2015, @09:59AM

      by Anonymous Coward on Friday January 09 2015, @09:59AM (#133146)

      I guess Wikipedia and Facebook are both fucked.

  • (Score: 0) by Anonymous Coward on Wednesday January 07 2015, @10:42PM

    by Anonymous Coward on Wednesday January 07 2015, @10:42PM (#132740)
  • (Score: 2) by jcross on Wednesday January 07 2015, @10:45PM

    by jcross (4009) on Wednesday January 07 2015, @10:45PM (#132742)

    I am far from a PHP booster, and I didn't RTFA so I don't know how they measured, but I think that by default Apache/PHP will report a lot of info to the outside about what versions of everything you're running, and that's the most likely way they gathered the data. In which case all this is saying is that 3/4 of the servers whose admins didn't bother to disable that default are running vulnerable versions. Also a lot of the non-major PHP installations out there are probably WordPress, which is a steaming pile on top of a steaming pile, generally administered by people who don't know how or don't care to do things right. So, maybe not as big a result as it would seem.

  • (Score: 0) by Anonymous Coward on Wednesday January 07 2015, @10:54PM

    by Anonymous Coward on Wednesday January 07 2015, @10:54PM (#132745)

    Sometimes I dream
    That soy is me
    You've got to see that's how I dream to be
    I dream I move, I dream I groove
    Like Soy
    If I could Be Like Soy
    Again I try
    Just need to fly
    For just one day if I could
    Be that way
    I dream I move
    I dream I groove
    Like Soy
    If I could Be Like Soy

    Use Perl

    • (Score: 0) by Anonymous Coward on Thursday January 08 2015, @01:42AM

      by Anonymous Coward on Thursday January 08 2015, @01:42AM (#132772)
      what a nightmare!
    • (Score: 2) by epitaxial on Thursday January 08 2015, @04:38AM

      by epitaxial (3165) on Thursday January 08 2015, @04:38AM (#132822)

      So does anyone use perl anymore?

      • (Score: 0) by Anonymous Coward on Thursday January 08 2015, @09:05AM

        by Anonymous Coward on Thursday January 08 2015, @09:05AM (#132850)

        You know what language the site you're currently using is written in?

  • (Score: 2) by DrMag on Wednesday January 07 2015, @11:03PM

    by DrMag (1860) on Wednesday January 07 2015, @11:03PM (#132747)

    Checking my server (hosted at Arvixe), I see that the default php is 5.3.28, which apparently is considered by TFA to be insecure. However, the publicly accessible website is running 5.4.27, because it's built into the installation of Drupal powering the website. (Also insecure, it turns out.)

    Probably most websites aren't built by hand, but from something like Drupal or Wordpress or Dokuwiki or somesuch. So even if you push your host provider to update php, it may not make a difference because the other software has a different version built in.

    Any advice on how to sort all of that out and ensure that every public face is secure?

    • (Score: 0) by Anonymous Coward on Wednesday January 07 2015, @11:07PM

      by Anonymous Coward on Wednesday January 07 2015, @11:07PM (#132749)

      Any advice on how to sort all of that out and ensure that every public face is secure?

      Burqa.

  • (Score: 3, Insightful) by wonkey_monkey on Wednesday January 07 2015, @11:12PM

    by wonkey_monkey (279) on Wednesday January 07 2015, @11:12PM (#132751) Homepage

    More than 78 per cent of all PHP installations are running with at least one known security vulnerability, a researcher has found.

    Okay. So what web-facing software out there has 78 percent of all installations running without known vulnerabilities?

    --
    systemd is Roko's Basilisk
    • (Score: 0) by Anonymous Coward on Wednesday January 07 2015, @11:16PM

      by Anonymous Coward on Wednesday January 07 2015, @11:16PM (#132753)

      DJB publicfile [cr.yp.to] the bestest web server that will ever be written ever.

    • (Score: 2) by FatPhil on Wednesday January 07 2015, @11:25PM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday January 07 2015, @11:25PM (#132758) Homepage
      My gopher server?
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 1, Funny) by Anonymous Coward on Wednesday January 07 2015, @11:27PM

        by Anonymous Coward on Wednesday January 07 2015, @11:27PM (#132759)

        Gopherspace is not the WWW. Go back to Minnesoooota, hoser.

    • (Score: 3, Funny) by frojack on Wednesday January 07 2015, @11:36PM

      by frojack (1554) on Wednesday January 07 2015, @11:36PM (#132761) Journal

      Okay. So what web-facing software out there has 78 percent of all installations running without known vulnerabilities?

      Its an oddly worded question, seemingly designed to produce parsing errors.

      But taking it at face value I rather suspect there are a LOT of web facing software that has
      no KNOWN vulnerabilities. Especially those serving simple static pages.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 0) by Anonymous Coward on Thursday January 08 2015, @03:06AM

        by Anonymous Coward on Thursday January 08 2015, @03:06AM (#132787)

        Its an oddly worded question, seemingly designed to produce parsing errors.

        I use segfaults for error reporting you insensitive clod!

  • (Score: 1) by MichaelDavidCrawford on Thursday January 08 2015, @03:11AM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Thursday January 08 2015, @03:11AM (#132788) Homepage Journal

    I think the problem is software developers who use PHP.

    I learned PHP a while back. While I came to regard it as "not my cup of tea", I could see how it would appeal to other people.

    The problem we've got, for any website, is inadequate testing, inadequate code auditing and code reviews, management consisting of pointy-haired bosses and VCs who want a quick, profitable IPO rather than the desire to mentor the chilluns.

    Radio Paradise got owned by "some boys from Brasil" a while back. At the time it was built on phpNuke. Bill, the site's owner and DJ, took it down for a few days, then rewrote the code, still in PHP. The new site looked just like the old one; despite still being implemented in PHP, Bill hasn't reported any hacks since then.

    However, Bill is olde and greyye, like me.

    I expect it would be enlightening were someone to do a study of reported exploits vs. the ages of the developers who wrote the code.

    --
    Yes I Have No Bananas. [gofundme.com]
  • (Score: 3, Insightful) by Whoever on Thursday January 08 2015, @04:04AM

    by Whoever (4524) on Thursday January 08 2015, @04:04AM (#132810) Journal

    This just shows massive ignorance about the way major distributions deploy security fixes.

    Red Hat doesn't update the version of PHP, instead, they backport the fixes to the same major/minor version that is supported for that major release of RHEL.

    For example, there are many servers running php-5.3.x, but they are secure, because the Red Hat version has all the security fixes.

    • (Score: 3, Interesting) by MichaelDavidCrawford on Thursday January 08 2015, @04:12AM

      by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Thursday January 08 2015, @04:12AM (#132815) Homepage Journal

      The O'Reilly Apache Security book advises that the reader configure their httpd to identify itself as IIS. That way the kiddies waste their cycles beating against it with Windows exploits.

      I used to do that myself but I checked just now, that seems to have fallen on the floor when I got a new server.

      Just about the most clueless thing you can do in the way of security is to tell the truth with your version number.

      --
      Yes I Have No Bananas. [gofundme.com]
  • (Score: 0) by Anonymous Coward on Thursday January 08 2015, @02:46PM

    by Anonymous Coward on Thursday January 08 2015, @02:46PM (#132903)

    Want to have your server pwned? Run a server!
    Want to absolutely have your server never pwned? Don't run a server!
    Oh, wait, people who run servers probably need them running, huh? And people running php probably need php for some reason. If not, why would you run it?