SoylentNews is people
SoylentNews
Over three-quarters of all installs are insecure, research shows
The Register -Want to have your server pwned? Easy: Run PHP
More than 78 per cent of all PHP installations are running with at least one known security vulnerability, a researcher has found.
Google developer advocate Anthony Ferrara reached this unpleasant conclusion by correlating statistics from web survey site W3Techs with lists of known vulnerabilities in various versions of PHP.
What he found is that many, many PHP-powered websites are using insecure versions of the interpreter – so much so that it's actually easier to find an insecure PHP setup on the internet than a secure one.
"This is absolutely and unequivocally pathetic," Ferrara wrote.
The two most popular PHP releases, according to W3Techs' statistics, were versions 5.2.17 and 5.3.29. Together, they accounted for 24 per cent of the total – and both are insecure.
(Score: 2) by DrMag on Wednesday January 07 2015, @11:03PM
Checking my server (hosted at Arvixe), I see that the default php is 5.3.28, which apparently is considered by TFA to be insecure. However, the publicly accessible website is running 5.4.27, because it's built into the installation of Drupal powering the website. (Also insecure, it turns out.)
Probably most websites aren't built by hand, but from something like Drupal or Wordpress or Dokuwiki or somesuch. So even if you push your host provider to update php, it may not make a difference because the other software has a different version built in.
Any advice on how to sort all of that out and ensure that every public face is secure?
(Score: 0) by Anonymous Coward on Wednesday January 07 2015, @11:07PM
Burqa.