78 percent of PHP servers run with at least one known security bug
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
January 5, 2015
A new research brief reveals that more than 78 percent of all PHP server installations are running with at least one known security vulnerability.
Google security advocate Anthony Ferrara reached this troubling conclusion by correlating statistics from survey site W3 Techs with lists of known security issues in various versions of the PHP protocol.
What he found is that several PHP-powered websites are using insecure versions of the interpreter. So much so that it's actually easier to find an insecure PHP setup on the internet than a secure one.
"This is absolutely and unequivocally pathetic," Ferrara wrote. The two most popular PHP releases, according to W3Techs' statistics, were versions 5.2.17 and 5.3.29.
Together, they accounted for about a quarter of the total, and both are insecure. More to the point, Ferrara found that for each major version of PHP from 5.3 through 5.6, only a small number of minor versions are not known to contain any security vulnerabilities, but most systems aren't running those secure versions.
In Ferrara's findings, about 93.3 percent of all PHP 5.6.x installs were also insecure, 63.4 percent of PHP 5.5.x installs were insecure, 89.6 percent of PHP 5.4.x installs were insecure, and 66.1 percent of PHP 5.3.x installs were also insecure.
As for PHP 5.2, just write it off completely. No versions of 5.2 are considered secure at all.
But curiously, PHP 5.1 actually fared well. Fully 94.8 percent of all PHP 5.1 installations were running a secure version, according to W3 Techs' numbers.
PHP 5.1 is nine years old, and only 1.2 percent of the sites surveyed were still running it.
Of course, this isn't to say that none of the other software packages that power the internet contain security vulnerabilities.
Ferrara also found that about 38 percent of websites running the Apache web server were insecure, as were 36 percent of sites running Nginx, 22 percent of sites running Python, and 18 percent of sites running Perl.
But PHP's miserable security record really took the cake in Ferrara's study. Add to that the applications that run on top of PHP. At least 55 percent of Drupal installations had their own security issues, as did 40 percent of Wordpress installations.
And you could almost say that any server running the language is just an exploit waiting to happen, unless of course you happen to be one of those happy few who are running an airtight version.
The latest releases of PHP 5.4, 5.5 and 5.6 are all thought to be secure, we are told.
"Check your installed versions," Ferrara urged system admins. "Push for people to update. Don't accept if it works, don't fix it. You have the power to change this, so change it. Security is everyone's concern."
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!