Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
PHP Bug Security

As PHP Group Patches High-Risk Bugs, 62% of Sites Still Use PHP 5 (threatpost.com) 112

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."
This discussion has been archived. No new comments can be posted.

As PHP Group Patches High-Risk Bugs, 62% of Sites Still Use PHP 5

Comments Filter:
  • Was version 6 utterly shite, or can't they even count?

    • yes

    • by Anonymous Coward

      Not sure if you're just having a simple go at trolling, but PHP 6 never happened - the fundamental design was never completed and instead most of the ideas were formalized for PHP 7.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Besides, normally even numbers are used for stable releases. Why would PHP ever be considered dependable or trustworthy as a stable runtime?

    • by gman003 ( 1693318 ) on Saturday October 20, 2018 @06:35PM (#57510862)

      PHP 6 was never actually released.

      PHP 6's main feature was better Unicode support... via UTF-16, which it turns out is an awful idea. It's still variable-length, so you get all that complexity just like UTF-8, but it's hugely wasteful in comparison to UTF-8 on stuff like HTML (outputting is literally the main purpose of PHP), and it adds some byte-endianness problems. After realizing it was going to tank performance and just cause more and more problems to develop, the other features were stripped out and ported back to PHP5. PHP7 was a separate project, focused on a new engine for much better performance (though it also added some much-needed syntax like typed parameters and null coalescing). They decided to just skip PHP6 because there was so much published material talking about it, but the main feature of it never appeared (PHP7 internally uses UTF-8 for strings).

      • Really, while that is a rather wordy way of saying 'so utterly shite it never made it out the door,' it is quite interesting to know how and why it was so bad. Thank you!

    • by hcs_$reboot ( 1536101 ) on Saturday October 20, 2018 @08:30PM (#57511206)
      PHP 6 was released along with iPhone 9.
    • by bobby ( 109046 )

      php 6 was only supported on Windows 9.

  • Lots of enterprises rely on RHEL 7 / CentOS 7, and those are currently shipping PHP 5.4.16.

    • by cute-boy ( 62961 )

      Lots of enterprises rely on RHEL 7 / CentOS 7, and those are currently shipping PHP 5.4.16.

      And if you stay up to date, they are patched (but frequently lacking newer features), at least for RHEL. The Package Versions - Why our package versions are (almost) never bumped up? [redhat.com].

      • And if you stay up to date, they are patched (but frequently lacking newer features), at least for RHEL.

        Oh yeah, I didn't mean to imply otherwise (FWIW we're a CentOS 7 shop). But it would still show up as "PHP 5" on a survey - which might say as much about the limited usefulness of stories like this one as it does about anything else.

    • RHEL/CentOS 6 ships PHP 5.3.3. But one of the things that you get by using something like RedHat is that they back-port bug fixes. Sure a newer version of PHP might be nice, but if the applications work with (a bug-fixed) 5.3.3 then what is the business case for upgrading ? If a later version really is wanted then it is available via Software Collections [softwarecollections.org].

    • RH/Centos do offer software collections [redhat.com] with more modern versions[ if they want it.
  • PHP 5.6 (Score:5, Insightful)

    by Dutch Gun ( 899105 ) on Saturday October 20, 2018 @05:52PM (#57510734)

    Everyone is making it sound like PHP 5.6 is some ancient piece of cruft that everyone has had PLENTY of time to upgrade. In fact, after looking it up, it's only about four years old. That surprised me. It's at end of life already?

    Since when is "move fast and break things" a winning strategy for a server-side scripting language which runs much of the world's internet infrastructure? Shouldn't the "deadline will not be extended" attitude perhaps be re-evaluated in light of reality?

    We've seen this happen before, of course. Language developers often seem to underestimate how long it takes infrastructure to migrate to newer, incompatible versions of a language. For instance, the Python 2.7/3.x split, which occurred a *decade* ago, is still causing headaches on occasion. At least the Python devs had the good sense to support 2.7 until 2020. I'm going to bet that another four years from now, you'll still see a significant number of sites still using PHP 5.6, official support or not.

    • by eutychus ( 71710 )

      5.6 is a minor release. PHP 5.0 (first major series release) came out July 2004... and 7.0 came out almost 3 years ago. I've used PHP off and on since 2.0.... If memory serves me, there were major breaking changes between 2 and 3, a few breaking changes between 3 and 4, rare few breaking changes between 4 and 5 and rare few between 5 and 7. The main exceptions I can think of are around misguided features such as magic quotes which were rightly deprecated.

      We have quite a lot of old code in production that

      • by guruevi ( 827432 )

        Yeah minor things like magic quotes and MySQL libraries. All mysql calls from PHP5 have to be changed to at least mysqli if not PDO which is a big difference if you have deep entanglements with your database.

        • The old MySQL library (the one whose functions start with "mysql_" instead of "mysqli_", which dates back all the way to PHP2) was fundamentally broken. An API-compatible replacement could not be protected from SQL injection. For that reason, mysql_ was deprecated for the entire 5.x block - issuing increasingly dire warnings with every point release. Finally, PHP7 threw it out because it was the only way to force people to fix their broken insecure code.

          In order to have that problem while upgrading, you'd e

          • by guruevi ( 827432 )

            Both Perl and Ruby have implemented injection-proofing with a thing called tainted variables. You can't fix stupid but in many cases you can make old applications injection proof by simply cleaning the $_REQUEST array at the very beginning of your script.

            Sure it isn't clean but it's cheaper than rewriting hundreds of lines of code and introducing weird bugs or having to write tests for an application that doesn't have them.

            The PHP way of requiring spaghetti-code (OOM) in the middle of what's basically a scr

            • The tainted variables concept only works if you have functions that can actually clean them. AIUI, the old mysql_ API does not have that, and in fact cannot have that without breaking compatibility with old (MySQL 4.x) servers. The actual C-level API for MySQL changed, as did the network protocol. So they split it - mysql_ was kept around for compatibility, and mysqli_ was made to take advantage of the new features, like bound parameters which ACTUALLY solve the problem of tainted data by separating data an

  • Replacing stuff from 5.x that doesn't work is nigh trivial. Then again, if you did your homework and didn't code crap, 5.x is perfectly safe.
    Of course we all know that PHP is the favorite PL of many people who can't programm, so YMMV.

  • by LostOne ( 51301 ) on Saturday October 20, 2018 @06:37PM (#57510866) Homepage

    There is a *lot* of code out there that does questionable stuff in PHP. Stuff that approximately works in PHP 5.6 but fails hard in PHP 7. A large amount of it is relying on things that were deprecated way before PHP 5.6 was even considered as a possibility. A lot of that code is non-trivial so it isn't a quick fix to update it, or worse, is orphaned and there is nobody to update it.

    Even worse, a large fraction of it is on sites who don't have a programmer. It exists in unmaintained modules or add-ons to some framework or other that is, itself, often never upgraded. At $dayjob, I've lost count of the number of web sites that get defaced because someone bought a web site from $random_web_developer who used $framework and then never did any maintenance. I mean, people still expect a web site to be "fire and forget", especially if it's a simple brochure style site, and don't understand why they should have to put resources into maintaining it. And they're not wrong, either. These are the vast majority of the sites I can't force-upgrade to PHP 7 without having the customers simply cancel their accounts and not pay their outstanding bills. (Eventually I'll have to, but not today.)

    On the other hand, I had almost no issues running PHP code I wrote on PHP 7. But that's probably because I don't overcomplicated the code with eleventy thousand classes, namespaces, autoloading classes, "Composer", or any other fancy gimmick that is all the rage today. The issues I did have tended to be due to code that really shouldn't have worked in the first place, or actually wasn't working properly even on PHP 5.6.

    • by decep ( 137319 )

      You will have almost no problems running your code under PHP 7 as long as your code is not crap. Specifically 7.1+.

      The problem is, your code is probably crap and you just do not know it. The amount of bad code that is silently accepted in PHP 7.0 (and less) is just mind boggling.

      This has always been the problem with PHP. PHP gives you the rope hang yourself, you just do not know you have hung yourself.

      PHP is the only language that makes you wish you were using Perl.

  • Your application may well work with PHP 7.x, or there may be a newer version of it that does work with the newer version. That is unless you have home grown code, or must run an older version.

    If you are running Debian or Ubuntu, you can upgrade PHP to 7.2, using the following commands:

    LC_ALL=C.UTF-8 sudo add-apt-repository ppa:ondrej/php
    sudo apt update
    sudo apt install php7.2

    This works on Ubuntu 16.04 LTS, if you need to stay on that, and not having to upgrade to 18.04 LTS. The former is supported for a fe

    • no, in general it won't work, PHP 7 breaks backwards compatibility which is why this article has no point.

      Languages that break backwards compatibility cause people to stay with older versions. Get used to it, the next decade belongs to PHP 5

      • by kbahey ( 102895 )

        While what you say is generally the case, it does not have to be.

        For example, Drupal 6 was released in Feb 2018, that is more than a decade ago. It was End of Life on Feb 2016, after version 8 came out.

        But that did not stop people from using it. Even the impending PHP version change did not deter some from making the necessary changes for Drupal 6 to run under PHP 7.2.

        See for example this announcement [mydropwizard.com].

        I am testing a Drupal 6 site now and it does run under PHP 7.2.

        So, checking whether the package one uses ha

        • You picked the worst thing on the planet to support your position.

          there are 41,500 Drupal modules out there. You think a money making company is going to risk breaking one of the many chosen out of that pile that run their sites by changing PHP major version? Not a chance in hell.

          Anyway, less than 2 percent of web sites use Drupal, it's not the driving force behind PHP websites.

          • by kbahey ( 102895 )

            I am a Drupal contributor for the past 15 years, so I know Drupal pretty well.

            As I mentioned before Drupal 6 (core) has been patched to fully work with PHP 7.2. There is a concerted effort to do the same for Drupal 7 [drupal.org].

            Yesterday, I tried PHP 7.2 with 4 sites on two servers. One site is Drupal 6, the others are Drupal 7. They all worked without a single code change. One configuration statement had to be omitted, but that was it. The sites in question have the advantage of not being a victim of the open buffet [2bits.com]

            • I'm devops who has a few dozen drupal servers in the hundreds of servers I admin....

              since PHP 5.x is supported and will have security patches, why would we bother to even test 7.x and hope the hundreds of modules we use would have something missed in the test? Answer, we won't, we'll use the modules that were written for PHP 5 with 5.

              There is zero incentive to change, it's only risk with huge downside if something missed. Someday when security patches stop then it would be concern.

              other languages

              • by kbahey ( 102895 )

                since PHP 5.x is supported and will have security patches, why would we bother to even test 7.x

                I thought it was obvious, and you knew, but here it is:

                PHP 5.6 (the last release for 5.x) will be end of life by 31 Dec 2018 (that is 2 months from now).

                PHP 7.0, which is the default version for Ubuntu 16.04 LTS, end of life 3 Dec 2018 (1 month from now).

                See PHP supported versions [php.net].

                Hence, PHP 7.2 is the current version with the most life left, and the need to upgrade to it.

                A little more into the future: PHP 7.3 is

                • the paid distros have their own support schedule, php 5 is a part of them

                  • by kbahey ( 102895 )

                    I don't use paid distros.

                    I use Ubuntu 16.04 LTS for all my servers. There is still one client on 14.04 LTS even.

                    Hence the need to move. So far, no surprises.

  • a publicly exposed language which has always had security issues,
    clever websites - not

  • Joomla has been urging people to update to PHP 7 for quite awhile now. There's a big message right on the admin dashboard.
  • It should be noted that CentOS 6 notably (and RH6 I would assume) by default still ship with PHP 5 (5.6 by now I think?) To get a newer version, you must add a different repo as I don't think PHP7+ is even in EPEL. I can easily see why the number is so high, not to mention anyone crazy enough to run PHP on IIS where it most likely will just tick to the end of its useful life instead of going through an upgrade process.
  • I think a large percentage of that is the CentOS/RHEL that is still on 5.x which isn't as awful as it sounds because Redhat will ensure security fixes for 5.x as long as they continue to distribute it. They have a history of backporting fixes to ensure stable versions for a very long time. But I am very surprised by how long they've stayed at PHP 5.x, feels like more focus was placed on python 3 than php 7, and for good reason.

To stay youthful, stay useful.

Working...