Over three-quarters of all installs are insecure, research shows
The Register -Want to have your server pwned? Easy: Run PHP
More than 78 per cent of all PHP installations are running with at least one known security vulnerability, a researcher has found.
Google developer advocate Anthony Ferrara reached this unpleasant conclusion by correlating statistics from web survey site W3Techs with lists of known vulnerabilities in various versions of PHP.
What he found is that many, many PHP-powered websites are using insecure versions of the interpreter – so much so that it's actually easier to find an insecure PHP setup on the internet than a secure one.
"This is absolutely and unequivocally pathetic," Ferrara wrote.
The two most popular PHP releases, according to W3Techs' statistics, were versions 5.2.17 and 5.3.29. Together, they accounted for 24 per cent of the total – and both are insecure.
(Score: 4, Interesting) by darkfeline on Wednesday January 07 2015, @10:34PM
That's what PHP calls a double colon, by the way.
Unless you need to use software that is written in PHP, you shouldn't touch it with a yardstick. There are many options, all of which are superior, if only for the reason that they were created by people who have some idea what they're doing: Python (Django), Ruby (Rails), even CGI scripts or Golang.
Want to know how deep the rabbit hole goes? First, there's the fact that double colons are called T_PAAMAYIM_NEKUDOTAYIM by the parser, so better brush up on your Hebrew if you run into a parse error. Second, there's this pathetic attempt at fixing an overflow: http://use.perl.org/use.perl.org/_Aristotle/journal/33448.html [perl.org] Finally, there's this long checklist of crimes against programming if you aren't scared off yet: http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/ [eev.ee] (Note the date, some of these have probably been fixed, although keep in mind how the PHP devs fixed that integer overflow up there).
Join the SDF Public Access UNIX System today!
(Score: -1, Troll) by Anonymous Coward on Wednesday January 07 2015, @11:03PM
So what you're saying is that JEWS DID PHP
(Score: 0) by Anonymous Coward on Friday January 09 2015, @09:59AM
I guess Wikipedia and Facebook are both fucked.
(Score: 0) by Anonymous Coward on Wednesday January 07 2015, @10:42PM
... but they filled it full of Warez! [sytes.net]
(Score: 2) by jcross on Wednesday January 07 2015, @10:45PM
I am far from a PHP booster, and I didn't RTFA so I don't know how they measured, but I think that by default Apache/PHP will report a lot of info to the outside about what versions of everything you're running, and that's the most likely way they gathered the data. In which case all this is saying is that 3/4 of the servers whose admins didn't bother to disable that default are running vulnerable versions. Also a lot of the non-major PHP installations out there are probably WordPress, which is a steaming pile on top of a steaming pile, generally administered by people who don't know how or don't care to do things right. So, maybe not as big a result as it would seem.
(Score: 0) by Anonymous Coward on Wednesday January 07 2015, @10:54PM
Sometimes I dream
That soy is me
You've got to see that's how I dream to be
I dream I move, I dream I groove
Like Soy
If I could Be Like Soy
Again I try
Just need to fly
For just one day if I could
Be that way
I dream I move
I dream I groove
Like Soy
If I could Be Like Soy
Use Perl
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @01:42AM
(Score: 2) by epitaxial on Thursday January 08 2015, @04:38AM
So does anyone use perl anymore?
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @09:05AM
You know what language the site you're currently using is written in?
(Score: 2) by francois.barbier on Thursday January 08 2015, @09:26AM
HTML ?
(Score: 2) by WizardFusion on Thursday January 08 2015, @11:05AM
+1 Funny
(Score: 2) by DrMag on Wednesday January 07 2015, @11:03PM
Checking my server (hosted at Arvixe), I see that the default php is 5.3.28, which apparently is considered by TFA to be insecure. However, the publicly accessible website is running 5.4.27, because it's built into the installation of Drupal powering the website. (Also insecure, it turns out.)
Probably most websites aren't built by hand, but from something like Drupal or Wordpress or Dokuwiki or somesuch. So even if you push your host provider to update php, it may not make a difference because the other software has a different version built in.
Any advice on how to sort all of that out and ensure that every public face is secure?
(Score: 0) by Anonymous Coward on Wednesday January 07 2015, @11:07PM
Burqa.
(Score: 3, Insightful) by wonkey_monkey on Wednesday January 07 2015, @11:12PM
More than 78 per cent of all PHP installations are running with at least one known security vulnerability, a researcher has found.
Okay. So what web-facing software out there has 78 percent of all installations running without known vulnerabilities?
systemd is Roko's Basilisk
(Score: 0) by Anonymous Coward on Wednesday January 07 2015, @11:16PM
DJB publicfile [cr.yp.to] the bestest web server that will ever be written ever.
(Score: 2) by FatPhil on Wednesday January 07 2015, @11:25PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Funny) by Anonymous Coward on Wednesday January 07 2015, @11:27PM
Gopherspace is not the WWW. Go back to Minnesoooota, hoser.
(Score: 3, Funny) by frojack on Wednesday January 07 2015, @11:36PM
Okay. So what web-facing software out there has 78 percent of all installations running without known vulnerabilities?
Its an oddly worded question, seemingly designed to produce parsing errors.
But taking it at face value I rather suspect there are a LOT of web facing software that has
no KNOWN vulnerabilities. Especially those serving simple static pages.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @03:06AM
Its an oddly worded question, seemingly designed to produce parsing errors.
I use segfaults for error reporting you insensitive clod!
(Score: 1) by MichaelDavidCrawford on Thursday January 08 2015, @03:11AM
I think the problem is software developers who use PHP.
I learned PHP a while back. While I came to regard it as "not my cup of tea", I could see how it would appeal to other people.
The problem we've got, for any website, is inadequate testing, inadequate code auditing and code reviews, management consisting of pointy-haired bosses and VCs who want a quick, profitable IPO rather than the desire to mentor the chilluns.
Radio Paradise got owned by "some boys from Brasil" a while back. At the time it was built on phpNuke. Bill, the site's owner and DJ, took it down for a few days, then rewrote the code, still in PHP. The new site looked just like the old one; despite still being implemented in PHP, Bill hasn't reported any hacks since then.
However, Bill is olde and greyye, like me.
I expect it would be enlightening were someone to do a study of reported exploits vs. the ages of the developers who wrote the code.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Insightful) by Whoever on Thursday January 08 2015, @04:04AM
This just shows massive ignorance about the way major distributions deploy security fixes.
Red Hat doesn't update the version of PHP, instead, they backport the fixes to the same major/minor version that is supported for that major release of RHEL.
For example, there are many servers running php-5.3.x, but they are secure, because the Red Hat version has all the security fixes.
(Score: 3, Interesting) by MichaelDavidCrawford on Thursday January 08 2015, @04:12AM
The O'Reilly Apache Security book advises that the reader configure their httpd to identify itself as IIS. That way the kiddies waste their cycles beating against it with Windows exploits.
I used to do that myself but I checked just now, that seems to have fallen on the floor when I got a new server.
Just about the most clueless thing you can do in the way of security is to tell the truth with your version number.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Thursday January 08 2015, @02:46PM
Want to have your server pwned? Run a server!
Want to absolutely have your server never pwned? Don't run a server!
Oh, wait, people who run servers probably need them running, huh? And people running php probably need php for some reason. If not, why would you run it?