Slashdot Mirror
As PHP Group Patches High-Risk Bugs, 62% of Sites Still Use PHP 5 (threatpost.com)
America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news.
MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.
So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.
So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."
Oh I dunno, maybe the fact that most things in the world of the web is built on it, and that the majority of these things operate perfectly fine - that which does not is a problem of the web application, not PHP. Don't conflate poor applications with poor languages/frameworks. They are complex tools and misuse isn't the fault of the language. It has quirks, but it's not incapable. Only a non-programmer - or finicky developers with "special needs" - will tell you so.
PHP 6 was never actually released.
PHP 6's main feature was better Unicode support... via UTF-16, which it turns out is an awful idea. It's still variable-length, so you get all that complexity just like UTF-8, but it's hugely wasteful in comparison to UTF-8 on stuff like HTML (outputting is literally the main purpose of PHP), and it adds some byte-endianness problems. After realizing it was going to tank performance and just cause more and more problems to develop, the other features were stripped out and ported back to PHP5. PHP7 was a separate project, focused on a new engine for much better performance (though it also added some much-needed syntax like typed parameters and null coalescing). They decided to just skip PHP6 because there was so much published material talking about it, but the main feature of it never appeared (PHP7 internally uses UTF-8 for strings).