PHP Installations Vulnerable

Monday, January 5, 2015 @ 03:01 PM gHale

Over 78 percent of all PHP installations are running with at least one known security vulnerability, one researcher said.

By correlating statistics from web survey site W3Techs with lists of known vulnerabilities in various versions of PHP, Google developer advocate Anthony Ferrara was able to reach that conclusion.

Router Flaw Found
Re-engaged: Multi GAE Sandbox Bypasses
Vulnerabilities with Google App Engine
Security Patch Boost for Flash Player

PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language.

What Ferrara found is quite a few PHP-powered websites are using insecure versions of the interpreter. “This is absolutely and unequivocally pathetic,” Ferrara said.

The two most popular PHP releases, according to W3Techs’ statistics, were versions 5.2.17 and 5.3.29. Together, they accounted for 24 percent of the total. The problem, he said, is both are insecure.

More to the point, Ferrara found for each major version of PHP from 5.3 through 5.6, only a small number of minor versions do not contain vulnerabilities, but most systems aren’t running those secure versions, he said.

In Ferrara’s findings, 93.3 percent of all PHP 5.6.x installs were insecure, 63.4 percent of PHP 5.5.x installs were insecure, 89.6 percent of PHP 5.4.x installs were insecure, and 66.1 percent of PHP 5.3.x installs were insecure.

When it comes to PHP 5.2, no versions are secure.

PHP 5.1 fared well. 94.8 percent of all PHP 5.1 installations were running a secure version, according to the research. The catch is PHP 5.1 is nine years old, and only 1.2 percent of the sites surveyed were still running it.

This isn’t to say, of course, that none of the other software packages that power the Internet contain vulnerabilities. Ferrara found 38 percent of sites running the Apache web server were insecure, as were 36 percent of sites running Nginx, 22 percent of sites running Python, and 18 percent of sites running Perl.

Additionally, the applications that run on top of PHP – 55 percent of Drupal installs had their own security bugs, as did 40 percent of WordPress installs.

The latest releases of PHP 5.4, 5.5, and 5.6 appear to be secure.

Leave a Reply

You must be logged in to post a comment.