As PHP Group Patches High-Risk Bugs, 62% of Sites Still Use PHP 5

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."

APK Hosts File Engine for MacOS... apk

It's here! APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

* ONLY 1 of its kind in GUI 4 MacOS!

(Better vs. Windows model in speed/efficiency/merge)

APK

P.S.=> China copied my work because they can't do better. Protects against Spectre & Meltdown + redirect poisoned or downed DNS/botnets/malware downloads/malcript/email malicious payloads... apk

Re:APK Hosts File Engine for MacOS... apk

[IInhaleFatCashews]

WARNING!

Do NOT use this. APK's host files are a bitcoin miner VIRUS. APK is very much real, he talks to himself, and he is a schizophrenic hacker. BEWARE!

Re:APK Hosts File Engine for MacOS... apk

I try your hosts file and my computer explode. Now I annoying.

Haha, PHP

It will never escape itself.

Re:Haha, PHP

[eneville]

Is that a reference to magic quotes? :)

Re:Haha, PHP

No, PHP cannot escape by itself, but PHP + MySQL can if you really want to do that: mysql_real_escape_string(...)

Can we get some "fractal of bad design" links?

Just to make it look like you know anything at all about programming and PHP.

Re:Can we get some "fractal of bad design" links?

[tepples]

Enjoy Fractal, Hardly, and a synthesis of the two by analogy to Douglas Crockford's JavaScript: The Good Parts

PHP 7 is awesome

Very fast and elegant language for the backend, easy to get going, plenty of good libraries and frameworks. Hipster "programmers" gotta wrap their pale lips around the latest garbage replacements of the day. long live PHP

Re:PHP 7 is awesome

certainly a lot of improvements since I started using it 15 years ago. still waiting at work for the IT guys to let us get off 5.3.x :(

Re:PHP 7 is awesome

Wait... PHP, the language? You seem to be talking about something else.

Re:PHP 7 is awesome

This feature seeks to provide better security when unserializing objects on untrusted data. It prevents possible code injections by enabling the developer to whitelist classes that can be unserialized.

My coder sense is tingling.

The new intdiv() function performs an integer division of its operands and returns it.

The fuck?

To enable strict mode, a single declare directive must be placed at the top of the file. This means that the strictness of typing for scalars is configured on a per-file basis.

session_start() now accepts an array of options that override the session configuration directives normally set in php.ini.

Global and/or server variables that change how the language behaves. Check.

It still looks like a clusterfuck to me, although maybe slightly more unfucked than the last one.

Re: PHP 7 is awesome

Thank you

Re: PHP 7 is awesome

The reason everyone uses 5.5 is that Symfony2 requires it. bits of Symfony2 are in fucking everything.

Php/jquery frameworks are some of the worst Webdev shit that exists. We should go back and start developing things with C rather than creating these god damn framework shits.

Re: PHP 7 is awesome

Facebook uses php, faggot. Kill yourself nodejs shill

Re:PHP 7 is awesome

[infolation]

It still looks like a clusterfuck to me, although maybe slightly more unfucked than the last one.

Regrettably $CLUSTER_FUCK is a superglobal.

Re: PHP 7 is awesome

[Z00L00K]

It might be, but the major reason for people not upgrading is that there are breaking changes between the major versions of php.

So you can't just drop in a new version because then something on your server breaks. And anyone that knows that piece of code has long ago left for greener pastures. It's usually some medium sized package that just do the job and is key for the business.

Php is also a headache from a test perspective since you don't find the broken stuff until you try to access it. Some of it may only be accessed once per year and only during new year break by an automatic script.

Things like that makes me dislike script based solutions.

Re: PHP 7 is awesome

[wimg]

There are tools to check your code to see if it will work with newer versions of PHP, like PHPCompatibility.

Any testing PHP is easy : you can write unit tests, integration tests, etc.

Re: PHP 7 is awesome

[Z00L00K]

The problem is still that you have to get someone that can care for the code. It's a common problem - hire someone to do a specific job and then when that person leaves there's just something that works, but it happens to block upgrades also for other applications.

Just come out to the reality and see - the world is full of small solutions that happens to be blocking upgrades of larger application suites. And the management of the companies don't want to upgrade "because it works" and that they don't want to spend money on "unnecessary upgrades", sometimes so that they can raise the share values or get a new car.

Re: PHP 7 is awesome

[wimg]

Oh believe me, I know ;-)
Managers don't understand that any piece of software needs maintenance...

Re: PHP 7 is awesome

I thought FB used HipHopVM (HHVM), a p-code/JIT implementation of PHP.

5 and, but no mention of PHP 6

[Hognoxious]

Was version 6 utterly shite, or can't they even count?

Re:5 and, but no mention of PHP 6

[El_Muerte_TDS]

yes

Re:5 and, but no mention of PHP 6

Not sure if you're just having a simple go at trolling, but PHP 6 never happened - the fundamental design was never completed and instead most of the ideas were formalized for PHP 7.

Re:5 and, but no mention of PHP 6

[gman003]

PHP 6 was never actually released.

PHP 6's main feature was better Unicode support... via UTF-16, which it turns out is an awful idea. It's still variable-length, so you get all that complexity just like UTF-8, but it's hugely wasteful in comparison to UTF-8 on stuff like HTML (outputting is literally the main purpose of PHP), and it adds some byte-endianness problems. After realizing it was going to tank performance and just cause more and more problems to develop, the other features were stripped out and ported back to PHP5. PHP7 was a separate project, focused on a new engine for much better performance (though it also added some much-needed syntax like typed parameters and null coalescing). They decided to just skip PHP6 because there was so much published material talking about it, but the main feature of it never appeared (PHP7 internally uses UTF-8 for strings).

Re:5 and, but no mention of PHP 6

[hcs_$reboot]

PHP 6 was released along with iPhone 9.

Re:5 and, but no mention of PHP 6

[Cinnamon+Beige]

Really, while that is a rather wordy way of saying 'so utterly shite it never made it out the door,' it is quite interesting to know how and why it was so bad. Thank you!

Re:5 and, but no mention of PHP 6

[bobby]

php 6 was only supported on Windows 9.

Re: 5 and, but no mention of PHP 6

Found the ruby user.

Confused Anon...

If these are against PHP7, why the need o call out people still running PHP5??

Take your forced deprecation and shove it, please. There was a trend in IT to avoid exotic languages for exactly this reason, think it's time we went back to that. Maybe a little less time writting node "applications" and "frameworks".

PHP’s XP moment

PHP 5 renamed to PHP XP, and all bugs become features.

to re-write the PHP code of the giant old app?

They got the problem of the maintenance that is very expensive.

Blame the user, why don't you

How about you don't release utterly broken software in the first place?

Yes, I know "everyone" does it too. Same goes for them, obviously.

Re:Blame the user, why don't you

If you don't know how to use the tool - or simply refuse to use it the correct way, insisting on your own "special boy" way - the problem is you, not the tool. If PHP was utterly broken the entire world running on top of it would be as well, and surely even you have observed that this is not the case.

Re:Blame the user, why don't you

Who says the entire shitstack of 'web' on top of PHP isn't utterly broken? As noted elsewhere, given the choice to report an error or do something nonsensical, PHP opts for the latter. To the untrained eye that might seem to "work", but work right? That PHP so very rarely does.

Anyway, most of these "users" want a CMS (wordpress) because that's how you "do web" these days, and that they get offered through "one-click installs" at the cheap hoster. IOW, the typical environment is that the thing is treated like the substrate to grow your shitstack on, not as a tool you need to know how to use.

And you really can't blame the user for taking that promise at face value.

Re: Blame the user, why don't you

Again, you are blaming the language when u should be blaming the users for using the tools wrong.

You are so far gone, come back to earth, the airs warm.

c6gunner's impersonating me & lying

See subject: c6gunner's name on this post as submitter yet signed "APK" (me) https://linux.slashdot.org/com...

I never say hosts cure Spectre/Meltdown OR it'd be on the Start64.com download page for it & I do NO MacOS X one!

* Too bad I publicly DESTROYED you c6gunner both here https://tech.slashdot.org/comm... + here https://tech.slashdot.org/comm... vs. your LIES/LIBEL + on hosts' technicals https://tech.slashdot.org/comm...

APK

P.S.=> Due to you TRYING TO PUT WORDS IN MY MOUTH I NEVER SAIDI did get the BLOW YOU AWAY ON IT 4th link above! Hosts is tunable NATIVE resolver driven by tcpip.sys IN kernelmode in Windows + kernelmode diskcache in Linux + hosts resolves faster, safer vs. slow remote DNS that can be DOWN or DNS poisoned & NO DNS TRACKING for fav sites I use @ TOP of hosts for speed/security vs. DNS poisoning & rest are BLOCKED (who cares how 'fast' getting to them - I NEVER INTEND TO GET TO THEM, TTL does rest))

Re:c6gunner's impersonating me & lying

Please complain more about why names don't will work with anonymous posts.

Surprise

Command deprecated.

Syntax deprecated.

Function deprecated..

Upgrade and your shit's all fucked up. Of course people don't upgrade. Nothing nicer than having a PHP upgrade bring down a few hundred WordPress sites.

Re:Surprise

[i.r.id10t]

Except the warnings of impending deprecation have been around for a while. For example, the old mysql family of functions (replaced w/ mysqli and/or PDO) started throwing E_DEPRECATED in PHP 5.5 which was released in mid 2013.

Re: Surprise

Why should I change my code when the existing code works? A lot of changes to php rename functions and add/remove parameters. Depreciation of certain things is often a consequence of the reliance on the shared C runtime and system libraries. Upgrade the OS and those libraries are gone.

Re:Surprise

The "market" has spoken and it said, Fuck that shit. Python is facing the same thing.

People spend time and money making something work. Once they have it working just the way they like, they move on to other things in life. They aren't the least bit interested in coming back to refactor all their code because a bunch of fucking assholes decided that they simply HAD to change the name of a function and then deprecate the old name completely.

Backward compatibility is a must, or people won't upgrade. Fuck the newest object oriented rainbow unicorn pinwheel function if it comes at the cost of the previously working stuff.

Re: Surprise

[dgatwood]

At least the MySQL stuff has a valid reason. The old functions were hard to use in ways that didn't introduce security bugs. Non-parameterized SQL queries are one of the most common causes of security holes, largely because they're really hard to get right. I'm all in favor of killing them. With fire.

It's the other thirteen pages of changes from PHP 5 to PHP 7 that are the problem — little, subtle things where variables get populated in the opposite order depending on what version of PHP you're running, or the order of operations changes in ways that require new parentheses. These sorts of changes are hard to spot in large code bases, and could potentially result in unexplained failures. If your code doesn't have amazing unit test coverage (which PHP usually doesn't)... good luck.

Re: Surprise

[Z00L00K]

Then you need to find a programmer that can understand how to fix that. It's often the case that the person who wrote it has exited the company a long time ago.

That's why breaking backwards compatibility is bad, especially on script based languages.

Malwarebytes' Steven Burn audited my code

See subject: He BOTH hosts + RECOMMENDS it forum.hosts-file.net/viewtopic.php?f=5&t=4290

My code's also VIRUS PROOF (self-checking mathematically down to 1 byte change) upmodded @ CODING FOR DEFCON on /. in 2005 as a good method http://it.slashdot.org/comment...

APK

P.S.=> Dozens of REGISTERED /. users (+ 100,000 users worldwide) disagree with you https://it.slashdot.org/commen...

Hosts results STOPPING MALWARE = UNDENIABLE https://science.slashdot.org/c...

SECURITY PROS agree hosts work https://it.slashdot.org/commen... for MORE speed AND security & they do so NATIVELY for less (resources consumed, less moving parts for exploit vs. SECURITY ISSUE RIDDLED DNS/AntiVirus (which slow you down vs. local hosts in RAM cached) ... apk

Re:Malwarebytes' Steven Burn audited my code

APK
GO the fuck AWAY!

(everybody...!)

APK
GO the fuck AWAY!

APK
GO the fuck AWAY!

APK
GO the fuck AWAY!

APK
GO the fuck AWAY!

Re:Malwarebytes' Steven Burn audited my code

APK doesn't understand security which is why he thinks a non cryptographically secure self check is valid, all his does is check it's current running size over and over again. Hosts only stops sources that are known, long after they have become a threat, and never before. APK's work is slow and can be fooled easily and does not provide any security beyond a placebo effect. APK also doesn't understand how the OS caches host lookups or caches in general work because if he did he would stop spouting off about it being cached. But we all already knew that APK suffers from debilitating mental illness.

Re:Malwarebytes' Steven Burn audited my code

If you're so sure of yourself why hide behind anonymous posts? You did better work than APK? I don't see it. You're jealous of APK and you stalk him due to your inadequacy. All we hear from you is squawking!

Re:Malwarebytes' Steven Burn audited my code

Look everyone we either have someone who is more retarded than APK or APK trying to make it look like he has support. If you aren't APK why do you stick up for a worthless pile of shit who can't even defend his own work from criticism? You sure sound a lot like APK so are you his live in butt buddy?

Re:Malwarebytes' Steven Burn audited my code

Look everyone. It's the unidentifiable anonymous coward who runs and hides from questions put to him like he runs and hides from apk who he stalks.

Not surprising

[93+Escort+Wagon]

Lots of enterprises rely on RHEL 7 / CentOS 7, and those are currently shipping PHP 5.4.16.

Re:Not surprising

[cute-boy]

Lots of enterprises rely on RHEL 7 / CentOS 7, and those are currently shipping PHP 5.4.16.

And if you stay up to date, they are patched (but frequently lacking newer features), at least for RHEL. The Package Versions - Why our package versions are (almost) never bumped up?.

Re:Not surprising

[Alain+Williams]

RHEL/CentOS 6 ships PHP 5.3.3. But one of the things that you get by using something like RedHat is that they back-port bug fixes. Sure a newer version of PHP might be nice, but if the applications work with (a bug-fixed) 5.3.3 then what is the business case for upgrading ? If a later version really is wanted then it is available via Software Collections.

Re:Not surprising

[93+Escort+Wagon]

And if you stay up to date, they are patched (but frequently lacking newer features), at least for RHEL.

Oh yeah, I didn't mean to imply otherwise (FWIW we're a CentOS 7 shop). But it would still show up as "PHP 5" on a survey - which might say as much about the limited usefulness of stories like this one as it does about anything else.

Re:Not surprising

Whaaaaaat?! Someone admitting that distros other than Debian, backport bugfixes and use older, more stable versions of software?

And yet.. no massive attacks "$x distro sux, usez old softwares, LOL".

Re:Not surprising

[Chuck+Chunder]

RH/Centos do offer software collections with more modern versions[ if they want it.

Re:

Besides, normally even numbers are used for stable releases. Why would PHP ever be considered dependable or trustworthy as a stable runtime?

PHP 5.6

[Dutch+Gun]

Everyone is making it sound like PHP 5.6 is some ancient piece of cruft that everyone has had PLENTY of time to upgrade. In fact, after looking it up, it's only about four years old. That surprised me. It's at end of life already?

Since when is "move fast and break things" a winning strategy for a server-side scripting language which runs much of the world's internet infrastructure? Shouldn't the "deadline will not be extended" attitude perhaps be re-evaluated in light of reality?

We've seen this happen before, of course. Language developers often seem to underestimate how long it takes infrastructure to migrate to newer, incompatible versions of a language. For instance, the Python 2.7/3.x split, which occurred a *decade* ago, is still causing headaches on occasion. At least the Python devs had the good sense to support 2.7 until 2020. I'm going to bet that another four years from now, you'll still see a significant number of sites still using PHP 5.6, official support or not.

Re:PHP 5.6

[eutychus]

5.6 is a minor release. PHP 5.0 (first major series release) came out July 2004... and 7.0 came out almost 3 years ago. I've used PHP off and on since 2.0.... If memory serves me, there were major breaking changes between 2 and 3, a few breaking changes between 3 and 4, rare few breaking changes between 4 and 5 and rare few between 5 and 7. The main exceptions I can think of are around misguided features such as magic quotes which were rightly deprecated.

We have quite a lot of old code in production that hasn't changed much over the years... it may not be pretty, but as long as caution was taken, just works. The same is true of most any language.

Re:PHP 5.6

[guruevi]

Yeah minor things like magic quotes and MySQL libraries. All mysql calls from PHP5 have to be changed to at least mysqli if not PDO which is a big difference if you have deep entanglements with your database.

Re:PHP 5.6

Really? It takes hardly an hour to write a decent PDO wrapper that provides the old mysql interface. Refactoring old code takes slightly longer, though most function calls have direct replacements without changing arguments.

Re:PHP 5.6

[gman003]

The old MySQL library (the one whose functions start with "mysql_" instead of "mysqli_", which dates back all the way to PHP2) was fundamentally broken. An API-compatible replacement could not be protected from SQL injection. For that reason, mysql_ was deprecated for the entire 5.x block - issuing increasingly dire warnings with every point release. Finally, PHP7 threw it out because it was the only way to force people to fix their broken insecure code.

In order to have that problem while upgrading, you'd either have to be porting code that went back to PHP4 and hadn't been maintained, or code that was written in a well-known wrong way. Which sure, happens - I cleaned up some mysql_ functions myself while porting code that fell under the former. Took maybe an hour to get it running, although I took some more time to fix the pile of SQL injection flaws still hiding around (PDO lets you protect yourself... nothing will protect you if you're concatenating user input into a query without even escaping it).

Anyone who is willing to let the dropping of the mysql_ API stop them from updating, isn't secure anyways.

Re:PHP 5.6

5.6 is not a minor release when compared to 5.0. If you can't tell the difference, either your code does some simple thing, or its done by monkeys. The numbering version is odd, but consider 5.x releases as forward-incompatible. And after 5.4, porting backwards (which is stupid in php world) would very much be a pain in the ass.

Re:PHP 5.6

[xonen]

It takes hardly an hour to write a decent PDO wrapper that provides the old mysql interface.

Been there, done that, but there's a (big) performance penalty doing so.

The old mysql* interface was fine, functional and elegant in itself, the issues mostly because people not knowing how to use it correctly (being spoiled by all needless OOPS a.k.a. object oriented spaghetti) , and not because of a significant limitation of the api itself.

Writing a wrapper sort-of works but is never 100% optimal, plus the whole website needs to be evaluated. Rewriting *everything* is simply out of the question for the obvious reasons and usually only leads to more and new bugs or new security issues.

Breaking what's not broken in the sake of 'security' instead of directing people to RTFM is just ignorant. I totally agree with GP.

Re:PHP 5.6

[guruevi]

Both Perl and Ruby have implemented injection-proofing with a thing called tainted variables. You can't fix stupid but in many cases you can make old applications injection proof by simply cleaning the $_REQUEST array at the very beginning of your script.

Sure it isn't clean but it's cheaper than rewriting hundreds of lines of code and introducing weird bugs or having to write tests for an application that doesn't have them.

The PHP way of requiring spaghetti-code (OOM) in the middle of what's basically a scripting (procedural) language is equally bad.

Re:PHP 5.6

[gman003]

The tainted variables concept only works if you have functions that can actually clean them. AIUI, the old mysql_ API does not have that, and in fact cannot have that without breaking compatibility with old (MySQL 4.x) servers. The actual C-level API for MySQL changed, as did the network protocol. So they split it - mysql_ was kept around for compatibility, and mysqli_ was made to take advantage of the new features, like bound parameters which ACTUALLY solve the problem of tainted data by separating data and logic in the API. No sanitizing necessary - the API itself is aware of what is SQL code and what is data, and so it never even considers the data for execution. If you still want to do it by escaping user input and concatenating it into a query, you can do so, but the only sane reason to do so it when porting old code.

By "OOM", do you mean that it's object-oriented? Because that's also wrong - mysqli_ has object-oriented and procedural versions of everything. Look at the docs sometime, it's almost a drop-in replacement, other than needing to explicitly pass the connection in. But even the object-oriented stuff isn't spaghetti code unless you write it that way - it's straightforward calling of methods on objects, one after the other. Read the examples, they roll straight down, only stopping on error.

ESR

PHP devs should stop incrementing their version.

Why they can't call it 'php'?

I had to edit multiple directories to upgrade PHP5.x to 7.0, and I will have to do so again if I want to upgrade to 7.1/7.2.

Stop doing this and give me ESR edition.

Re:

Oh I dunno, maybe the fact that most things in the world of the web is built on it, and that the majority of these things operate perfectly fine - that which does not is a problem of the web application, not PHP. Don't conflate poor applications with poor languages/frameworks. They are complex tools and misuse isn't the fault of the language. It has quirks, but it's not incapable. Only a non-programmer - or finicky developers with "special needs" - will tell you so.

Migrating to PHP 7.x isn't that big of a deal.

[Qbertino]

Replacing stuff from 5.x that doesn't work is nigh trivial. Then again, if you did your homework and didn't code crap, 5.x is perfectly safe.
Of course we all know that PHP is the favorite PL of many people who can't programm, so YMMV.

Not remotely exploitable?

From a scan of the change log looks like all the attack vectors require a maliciously written script to run on the server I didnâ(TM)t see anything remotely exploitable why didnâ(TM)t they mention scope? I am Ignoring devs who might pass web input to eval they have other problems already.

PHP 7 is a non-trivial update, for some

[LostOne]

There is a *lot* of code out there that does questionable stuff in PHP. Stuff that approximately works in PHP 5.6 but fails hard in PHP 7. A large amount of it is relying on things that were deprecated way before PHP 5.6 was even considered as a possibility. A lot of that code is non-trivial so it isn't a quick fix to update it, or worse, is orphaned and there is nobody to update it.

Even worse, a large fraction of it is on sites who don't have a programmer. It exists in unmaintained modules or add-ons to some framework or other that is, itself, often never upgraded. At $dayjob, I've lost count of the number of web sites that get defaced because someone bought a web site from $random_web_developer who used $framework and then never did any maintenance. I mean, people still expect a web site to be "fire and forget", especially if it's a simple brochure style site, and don't understand why they should have to put resources into maintaining it. And they're not wrong, either. These are the vast majority of the sites I can't force-upgrade to PHP 7 without having the customers simply cancel their accounts and not pay their outstanding bills. (Eventually I'll have to, but not today.)

On the other hand, I had almost no issues running PHP code I wrote on PHP 7. But that's probably because I don't overcomplicated the code with eleventy thousand classes, namespaces, autoloading classes, "Composer", or any other fancy gimmick that is all the rage today. The issues I did have tended to be due to code that really shouldn't have worked in the first place, or actually wasn't working properly even on PHP 5.6.

Re:PHP 7 is a non-trivial update, for some

There is a *lot* of code there that is shit. In every language. There arent that much issues running 5.x code in 7.x. and I say this after building stuff that actually breaks in 7.x. Composer has no issues, having thousand classes has no issues. Naming may have issues (my case). But that's basically it

Re: PHP 7 is a non-trivial update, for some

PHP 7.3 breaks composer. The "did you mean continue 2?" problem.

PHP 7.2 is fine.

Re:PHP 7 is a non-trivial update, for some

[decep]

You will have almost no problems running your code under PHP 7 as long as your code is not crap. Specifically 7.1+.

The problem is, your code is probably crap and you just do not know it. The amount of bad code that is silently accepted in PHP 7.0 (and less) is just mind boggling.

This has always been the problem with PHP. PHP gives you the rope hang yourself, you just do not know you have hung yourself.

PHP is the only language that makes you wish you were using Perl.

Upgrade PHP using Ondrej's PPA

[kbahey]

Your application may well work with PHP 7.x, or there may be a newer version of it that does work with the newer version. That is unless you have home grown code, or must run an older version.

If you are running Debian or Ubuntu, you can upgrade PHP to 7.2, using the following commands:

LC_ALL=C.UTF-8 sudo add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install php7.2

This works on Ubuntu 16.04 LTS, if you need to stay on that, and not having to upgrade to 18.04 LTS. The former is supported for a few more years.

Re:Upgrade PHP using Ondrej's PPA

[iggymanz]

no, in general it won't work, PHP 7 breaks backwards compatibility which is why this article has no point.

Languages that break backwards compatibility cause people to stay with older versions. Get used to it, the next decade belongs to PHP 5

Re:Upgrade PHP using Ondrej's PPA

[kbahey]

While what you say is generally the case, it does not have to be.

For example, Drupal 6 was released in Feb 2018, that is more than a decade ago. It was End of Life on Feb 2016, after version 8 came out.

But that did not stop people from using it. Even the impending PHP version change did not deter some from making the necessary changes for Drupal 6 to run under PHP 7.2.

See for example this announcement.

I am testing a Drupal 6 site now and it does run under PHP 7.2.

So, checking whether the package one uses has been updated for PHP 7.2 is worthwhile.

Re: Upgrade PHP using Ondrej's PPA

Feb 2018 more than a decade ago? Can I see your time machine?

Re: Upgrade PHP using Ondrej's PPA

"Drupal 6 was released in Feb 2018, that is more than a decade ago."

We're travelling near the speed of light, but you're not? I'll have what he's having!

Re:Upgrade PHP using Ondrej's PPA

[iggymanz]

You picked the worst thing on the planet to support your position.

there are 41,500 Drupal modules out there. You think a money making company is going to risk breaking one of the many chosen out of that pile that run their sites by changing PHP major version? Not a chance in hell.

Anyway, less than 2 percent of web sites use Drupal, it's not the driving force behind PHP websites.

Re: Upgrade PHP using Ondrej's PPA

[kbahey]

Drupal 6 was released Feb 2008, so more than a decade ago.

Re: Upgrade PHP using Ondrej's PPA

[kbahey]

Drupal 6 was released Feb 2008, so more than a decade ago.

Re:Upgrade PHP using Ondrej's PPA

[kbahey]

I am a Drupal contributor for the past 15 years, so I know Drupal pretty well.

As I mentioned before Drupal 6 (core) has been patched to fully work with PHP 7.2. There is a concerted effort to do the same for Drupal 7.

Yesterday, I tried PHP 7.2 with 4 sites on two servers. One site is Drupal 6, the others are Drupal 7. They all worked without a single code change. One configuration statement had to be omitted, but that was it. The sites in question have the advantage of not being a victim of the open buffet binge syndrome.

There are known examples of modules that don't work (e.g. Rules). For sites that use 200+ modules (a very common thing), there is this thing called testing. If your workflow already has a test server, then test PHP 7.2 there and see if things work as expected. If not, then copy the live site to a test server and reproduce it there.

Regardless of Drupal's market share, it is just an example of a development community getting things working on newer PHP versions, and the process is sure not unique to Drupal at all. It can be done with a concerted group effort.

Re:Upgrade PHP using Ondrej's PPA

[iggymanz]

I'm devops who has a few dozen drupal servers in the hundreds of servers I admin....

  since PHP 5.x is supported and will have security patches, why would we bother to even test 7.x and hope the hundreds of modules we use would have something missed in the test? Answer, we won't, we'll use the modules that were written for PHP 5 with 5.

There is zero incentive to change, it's only risk with huge downside if something missed. Someday when security patches stop then it would be concern.

other languages value backwards compatibility more.

Re:Upgrade PHP using Ondrej's PPA

[kbahey]

since PHP 5.x is supported and will have security patches, why would we bother to even test 7.x

I thought it was obvious, and you knew, but here it is:

PHP 5.6 (the last release for 5.x) will be end of life by 31 Dec 2018 (that is 2 months from now).

PHP 7.0, which is the default version for Ubuntu 16.04 LTS, end of life 3 Dec 2018 (1 month from now).

See PHP supported versions.

Hence, PHP 7.2 is the current version with the most life left, and the need to upgrade to it.

A little more into the future: PHP 7.3 is still RC, but the good news is that there is not much difference between it and 7.2, therefore the upgrade from 7.2 to 7.3 should painless.

Re:Upgrade PHP using Ondrej's PPA

[iggymanz]

the paid distros have their own support schedule, php 5 is a part of them

Re:Upgrade PHP using Ondrej's PPA

[kbahey]

I don't use paid distros.

I use Ubuntu 16.04 LTS for all my servers. There is still one client on 14.04 LTS even.

Hence the need to move. So far, no surprises.

same old

[bigtreeman]

a publicly exposed language which has always had security issues,
clever websites - not

um, Joomla has

[cascadingstylesheet]

Joomla has been urging people to update to PHP 7 for quite awhile now. There's a big message right on the admin dashboard.

Re: um, Joomla has

[Z00L00K]

Considering all the headaches that php gives I wouldn't use anything that is based on php.

Re: um, Joomla has

Considering all the headaches C has....

I'm glad smart people don't think like you. We'd be stuck at scratching our asses instead of Doing actual work.

Bad summary

Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application.

This phrase was reworded almost a dozen times to make up an article. The end result making it sound like if you run PHP then you are vulnerable. But if you look at the bugs they are just standard bugs.It's like how the drug commercials almost always list death as a possible side effect. That doesn't mean if you take any drugs you'll die. You might, but it doesn't mean that.

encourages sql injection vulnerabilities

Yes, php, a language that built sql injection vulnerabilities into the API.

Re:encourages sql injection vulnerabilities

[eneville]

Yes, php, a language that built sql injection vulnerabilities into the API.

At least they know what query parameters are now. The programmer wasn't entirely at fault, up until PDO anyway.

Re:encourages sql injection vulnerabilities

[CustomSolvers2]

At least they know what query parameters are now. The programmer wasn't entirely at fault, up until PDO anyway.

Because there is no way to sanitise the inputs yourself, right? Because programmers are expected to quickly put together whatever, by not caring about the consequences at all and, in case of problems, complaining about the programming language? Because software developers are so lowly-qualified professionals and their expertise is so extremely unrelated to properly understanding/having full control on the given situation that they will fail to take care of even the slightest detail which the given tool (AKA programming language) hasn't made completely idiot-proof? LOL.

No. The only responsible for any SQL injection or any other problem provoked by an inadequate algorithm, usage of the programming language or poor understanding of whatever scenario is the programmer. Full stop. The fact that the whole programming process might be very complex, demanding, error-prone and that the given framework should ideally provide friendly ways to ease the more problematic parts is a different story. But a diligent-enough developer facing whatever implementation by relying on whatever resources should properly understand the conditions and adapt his coding behaviour accordingly. He can complain about having to pay more attention, wasting more time or preferring a different platform. But, unless in exceptional cases (unknown bug in the programming language), whatever problem in the generated piece of software will be his fault, either directly (limited experience, bad personal decisions, bad understanding of the problem/environment) or indirectly (having to comply with ridiculous constraints).

BTW, I have written many algorithms connecting to different databases, most of the times by sanitising the inputs myself rather via parametrised queries (not recommending to do so to everyone though). In fact, this is just a small subset of all the implementations where I have had to make sure that the inputs meet the expectations of the corresponding algorithm. I have never had any kind of input-sanitation-related (security) problem and, in case of ever having it, I would certainly be my fault.

Re:encourages sql injection vulnerabilities

[eneville]

poor understanding of whatever scenario is the programmer

This. Shame with PHP though that between versions magic quotes crept in, so legacy programs that had to work around lack of parameters then had to be adapted to cope with systems where a new layer was introduced, otherwise things became double escaped.

Fork 5?

Since a lot of existing code depends on 5, why not fork 5 and fix the security problems rather than try to convert it all to 7?

Re:Fork 5?

[eneville]

It's open source, why not cherry pick the bits you want, and name it something else?

Re:Fork 5?

That'd be soooo much fun! Let's name it PCP, print out the source, and smoke it.

Re:Fork 5?

[Tablizer]

If enough people don't want to be force-fed 7, it could happen.

Re:

Besides, normally even numbers are used for stable releases.

We aren't talking about Star Trek here.

CentOS, etc.

[brickhouse98]

It should be noted that CentOS 6 notably (and RH6 I would assume) by default still ship with PHP 5 (5.6 by now I think?) To get a newer version, you must add a different repo as I don't think PHP7+ is even in EPEL. I can easily see why the number is so high, not to mention anyone crazy enough to run PHP on IIS where it most likely will just tick to the end of its useful life instead of going through an upgrade process.

Re:CentOS, etc.

RHEL 6.x ships with 5.3.x (security fixes backported, but not all features in 5.3.x are backported to the 5.3.x version they base from). RHEL 7.x ships with 5.4.x. They have a "feature" package you can get which installs a newer version in a standalone directory, with its own named service to keep from interfering with the base system version, but it's kind of painful to install and reference.

I find it much easier to install packages from webtatic's yum repos, they have been well maintained the past few years and replace the system version directly albeit with a slightly different naming scheme to prevent confusion on upgrades. To migrate from the system to one of those, or vice versa, you just remove the one you're running and install the new one, and then just need to manage php.ini's and other direct config files.

Not quite as bad as it sounds

[jon3k]

I think a large percentage of that is the CentOS/RHEL that is still on 5.x which isn't as awful as it sounds because Redhat will ensure security fixes for 5.x as long as they continue to distribute it. They have a history of backporting fixes to ensure stable versions for a very long time. But I am very surprised by how long they've stayed at PHP 5.x, feels like more focus was placed on python 3 than php 7, and for good reason.

Malwarebytes' Steven Burn audited my code

See subject: He BOTH hosts + RECOMMENDS it -> forum.hosts-file.net/viewtopic.php?f=5&t=4290

My code's also VIRUS PROOF (self-checking mathematically down to 1 byte change) upmodded @ CODING FOR DEFCON on /. in 2005 as a good method http://it.slashdot.org/comment...

I won't give my work away so "OpenSORES" thieves can use it (or abuse it, see EFast/Google Chrome).

APK

P.S.=> Dozens of REGISTERED /. users (+ 100,000 users worldwide) disagree with you https://it.slashdot.org/commen...

Hosts results STOPPING MALWARE = UNDENIABLE https://science.slashdot.org/c...

SECURITY PROS agree hosts work https://it.slashdot.org/commen... for MORE speed AND security & they do so NATIVELY for less (resources consumed, less moving parts for exploit vs. SECURITY ISSUE RIDDLED DNS/AntiVirus (which slow you down vs. local hosts in RAM cached) ... apk

c6gunner IMPERSONATING me again?

See subject: his FAKEname on a post impersonating me https://linux.slashdot.org/com... & altering /.er's words.

c6gunner tried to mock me 1st https://linux.slashdot.org/com...

So I challenge c6gunner to show he did better work than mine & he CAN'T!

YOU DEMAND PROOF of others here?

"I've yet to see you provide any evidence of that." by c6gunner on Monday March 15, 2010 @10:02PM (#31490942) ?

So now I DEMAND IT OF YOU & YOU FAIL!

c6gunner = "Run, Forrest: RUN!!!

* c6gunner's LYING saying I did a MacOS X one - I haven't yet & c6gunner's LYING impersonating me saying hosts work vs. Intel CPU issues (spectre/meltdown).

APK

P.S.=> You say hosts = shit here https://slashdot.org/comments.... ?

FACTS: /.ers & security pros + RESULTS say DIFFERENT:

1st: /.ers https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments....

2nd: SECURITY PROS https://slashdot.org/comments....

3rd: REAL RESULTS w/ hosts vs. threats https://slashdot.org/comments....

EAT YOUR WORDS!

Re: c6gunner IMPERSONATING me again?

Caution:

The APK host file program is a virus. I downloaded it last night and now my PC won't boot. Apparently it ran something called a "deltree" on my system.

It loaded up AoL2.5 and went to the chat room "puntpunt" and started scrolling "I've been owned by IB!"

I quickly turned off the computer, but when it rebooted all that was left was a black screen with the letter "C:/>"

Someone help please. This Alexander prick ruined my computer with his APK host file crap.

Re: c6gunner IMPERSONATING me again?

Care to show solid proof instead of your lies Anonymous Coward? No? Didn't think so.

Mod, source

This ThreatPost article blatantly copies a ZDNet story: https://www.zdnet.com/article/around-62-of-all-internet-sites-will-run-an-unsupported-php-version-in-10-weeks/

Just saying. If you're gonna run this story, at least run the actual reporting, and not some lame clone that doesn't even give credit to the actual source. I'm getting tired of these Indian and Pakistani blogs claiming to be news outlets these days.

Re: Mod, source

You must be new here.

Welcome o/

LOL! Your bs = EASY to disprove... apk

Blocking sources of threats = how you STOP THEM & they're STILL THREATS you dumb fuck. You think your line of bs = effective from you? Guess again stupid.

It doesn't check over & over. It checks itself when any procedure or function runs & against size change (which is what virus' do altering function jmp tables attaching to end of a program on disk).

It works great.

YOU TRYING TO SAY THAT A KNOWN BAD SITE LIKE THIS E.G.:

0.0.0.0 thissitefucksupyoursystem.com

IS NOT BLOCKED BY THAT(when accessed by that host/domain name in a browser OR otherwise IF that entry is in hosts)?

* YOU ARE VERY WRONG (& you KNOW it) IF YOU THINK THAT (but nobody said you have the ability to think, let alone logically or critically).

APK

P.S.=> Lastly - nobody believes you UNIDENTIFIABLE anonymous NOBODY do-NOTHING mere "ne'er-do-well" - lol, EVEN YOU DON'T BELIEVE YOU - you don't STAND BEHIND YOUR WORDS (all lies & deceits) constantly STALKING ME... apk

Fake News

While the PHP 5->7 parade is a serious problem, this weird MS-ISAC advisory appears to be bogus. Most likely ineptitude. You know what they say about ineptitude and malice.

Here's a public note from Ubuntu's maintainer about it.
https://bugs.launchpad.net/ubuntu/+source/php7.2/+bug/1798625

How did this get all over the news without so much as a CVE attached to it? It certainly seems like a fake news hack job.