As PHP Group Patches High-Risk Bugs, 62% of Sites Still Use PHP 5

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."

PHP 7 is a non-trivial update, for some

[LostOne]

There is a *lot* of code out there that does questionable stuff in PHP. Stuff that approximately works in PHP 5.6 but fails hard in PHP 7. A large amount of it is relying on things that were deprecated way before PHP 5.6 was even considered as a possibility. A lot of that code is non-trivial so it isn't a quick fix to update it, or worse, is orphaned and there is nobody to update it.

Even worse, a large fraction of it is on sites who don't have a programmer. It exists in unmaintained modules or add-ons to some framework or other that is, itself, often never upgraded. At $dayjob, I've lost count of the number of web sites that get defaced because someone bought a web site from $random_web_developer who used $framework and then never did any maintenance. I mean, people still expect a web site to be "fire and forget", especially if it's a simple brochure style site, and don't understand why they should have to put resources into maintaining it. And they're not wrong, either. These are the vast majority of the sites I can't force-upgrade to PHP 7 without having the customers simply cancel their accounts and not pay their outstanding bills. (Eventually I'll have to, but not today.)

On the other hand, I had almost no issues running PHP code I wrote on PHP 7. But that's probably because I don't overcomplicated the code with eleventy thousand classes, namespaces, autoloading classes, "Composer", or any other fancy gimmick that is all the rage today. The issues I did have tended to be due to code that really shouldn't have worked in the first place, or actually wasn't working properly even on PHP 5.6.