Slashdot Mirror
Over 78% of All PHP Installs Are Insecure
An anonymous reader writes: Anthony Ferrara, a developer advocate at Google, has published a blog post with some statistics showing the sorry state of affairs for website security involving PHP. After defining a list of secure and supported versions of PHP, he used data from W3Techs to find a rough comparison between the number of secure installs and the number of insecure or outdated installs. After doing some analysis, Ferrara sets the upper bound on secure installs at 21.71%. He adds, "These numbers are optimistic. That's because we're counting all version numbers that are maintained by a distribution as secure, even though not all installs of that version number are going to be from a distribution. Just because 5.3.3 is maintained by CentOS and Debian doesn't mean that every install of 5.3.3 is maintained. There will be a small percentage of installs that are from-source. Therefore, the real 'secure' number is going to be less than quoted." Ferrara was inspired to dig into the real world stats after another recent discussion of responsible developer practices.
to assume every web server is hacked already.
Seriously, if you assume this, and code your way in a more secure, 3-tier manner, with a separate, and secured, application server, then you will mitigate all the problems with an insecure web server - well, at least they won't have full unfettered access to your database.
This may mean giving up those "all in one" frameworks people so love (whether its PHP or .NET or any other language), but that can only be a good thing - write an app server with a secure API isn't so hard to do, but will mean your CEO won't have to appear on the news explaining why every user of his site needs to change their password and replace their credit cards.
Ummm... No. WordPress was first written in PHP3. Before it was even called "register globals". Back when that was just how you did things.
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
The point most people make when you talk about running old versions is that "well, distributions backport security fixes, so 5.3.3 is secure on distro XYZ".
So, to get around that, I looked at the popular distro's versions that they maintain. Then I counted *all* of those point versions as secure (over counting). So 5.3.3 is insecure as distributed by php.net, but as installed by Debian 6 it is secure.
So therefore to get an upper bound (rather than lower bound) on secure versions, you need some way of factoring in for distro support.
So I picked the most popular distros for server usage. Is this hand-waving? Absolutely. But it should give a pretty reasonable upper-bound.
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
Wordpress is widely adopted. Very widely. The #1 reason it is insecure is because it is targeted so often.
Is that PHP's fault?
Along with WP, plenty of other platforms plainly store their database credentials in some config file. It might be PHP, maybe XML, maybe JSON ... irrelevant. The credentials are stored in plaintext on the server.
Is that PHP's fault?
All these platforms do things in their own way. I'm a Magento developer and it is a platform that is notorious for it's complexity. I understand it pretty damn well, but the majority of the code I see was clearly written by folks who don't understand it very well. I've seen /www/var/log left wide open and the justification was that /www/var/log doesn't contain anything important. Just errors and stuff like that. For those paying attention, what's the difference between Mage::log($order, null, 'orders.log') and Mage::log($order->debug(), null, 'orders.log')? If you said, "the first one will log the entire object -- including database credentials", you get a cookie.
I'm talking about Magento specifically there, but every platform has it's own thing and twists PHP into doing things a bit differently. This fragments the understanding of the code and results in company XYZ hiring a "PHP developer" when they should have hired "Platform X developer".
I am wary of the statistics presented by this article simply because they don't take into account platform insecurities and the plethora of code that was written with a lack of full understanding. The number of "insecure" PHP sites is probably much closer to 100% than advertised, but it usually isn't PHP's fault.
Someone flopped a steamer in the gene pool.
22percent of PHP installs are secure???
The PHP install is secure.
That does not include the code being executed by PHP... just PHP itself.