01 Jan
Above shown are the current metrics gathered by scanning the Top 2
million websites, which were configured to leak PHP version information.
This PHP information leak can be easily fixed with a simple configuration which is clearly documented in PHP.net website itself. Based on the scan results, approximately 9% of the websites running PHP leak this version information.
Out of curiosity and to see the positive progress on hand, I re-scanned the same. I got to admit, that the results were pretty much the same as expected with a bit of positive progress.
Though there is a considerable amount of work to be done, we got to admit that this year has shown the highest migrations considering the various benefits including security and speed.
A glance at the charts reveals that the percentage of v5.6 has dropped approximately by 10% which by itself is a good positive shift.
Another positive metric to watch out is the high rising percentage of versions 7.2 or greater. I am extremely positive that, we should be raising much faster considering the stability offered and the timeline provided for the remaining folks running v7.1 or lesser.
Surprise fact in this scan was that folks are still running pretty outdated versions. I can understand PHP has been there for long, but running version 3 on a public exposed web-server is not going to end well.
Version 3 and 4 are close to hitting 20 years in service which makes me wonder, if they are really running v3 & v4. Who knows, they might be masking their versions and presenting false info as part of their defense strategy or maybe they are really running those legacy versions.
PHP Upgrade Progress [2020]
The above shown image is a representation of the Top 40 TLD’s and their leaky PHP versions. Baring only one TLD, rest all of the TLD’s are pretty much hovering above 70%, indicating a strong and pending action item to migrate to safer versions.
It also clearly captures the level of work needed to reach the current stable and safe versions of PHP. Except for .DK TLD, none of the Top 20 were positive on having versions greater than or above version 7.2.
Interestingly .DE TLD was found to even come closer having both the percentages to be closer(57% – old and 43% updated).
Technology Used
Well, I fancy Python for all my scripting work ( sorry PHP fans ) and I tried to whip up a simple scanner to get the header information of the websites from the list.
Used the same combination as last year which was reasonably good enough to meet my requirements without demanding too much of infrastructure computing
power. It was the combination of RabbitMQ and Celery running my python scanner in a smooth manner which actually delighted me considering the initial failure. Flower
was one beautiful tool that I used for progress monitoring. Within
a couple of hours, I was able to get all the data.
With that, I would request your comments and do share if you have any feedback or improvements for the same. I would be more than happy to answer.
Happy New Year To You & All Your Family Members !