#PHP Security

One Year Since Security Updates Stopped For PHPv5 6

  1. By Devanand Premkumar
  2. No Comments

01 Jan

PHPVatch
Its been one year since PHP stopped providing support and updates for versions 5.6, which is still the most popular version of PHP.  Let us take a moment to understand how the landscape has changed and how positive the PHP folks are moving forward.
 
In fact, version 5.6 is so much popular that even  one year after all the support and updates are stopped, folks are still continuing to use for various reasons. Last year(2019), we did the same analysis on Top 2 million websites and it was shared to the community in the name of phpVatch.
 
0 %
Safe
0 %
UnSafe

Above shown are the current metrics gathered by scanning the Top 2
million websites, which were configured to leak PHP version information.

This PHP information leak can be easily fixed with a simple configuration which is clearly documented in PHP.net website itself. Based on the scan results, approximately 9% of the websites running PHP leak this version information.

Out of curiosity and to see the positive progress on hand, I re-scanned the same. I got to admit, that the results were pretty much the same as expected with a bit of positive progress.

Well that being said, we should also take a moment to pause and understand the enormous amount of work that is still needed to migrate to safe versions either 7.2 or greater.
 
Though the various benefits including the speed and security are highlighted and detailed by PHP community at large, it is still currently hovering only at paltry 21%.
2019-percentage
Year 2019 - PHP Version Status

Though there is a considerable amount of work to be done, we got to admit that this year has shown the highest migrations considering the various benefits including security and speed.

A glance at the charts reveals that the percentage of v5.6 has dropped approximately by 10% which by itself is a good positive shift.

Another positive metric to watch out is the high rising percentage of versions 7.2 or greater. I am extremely positive that, we should be raising much faster considering the stability offered and the timeline provided for the remaining folks running v7.1 or lesser.

Year 2020 - PHP Version Status
2019 vs 2020 Metrics
PHP2019-2020

Surprise fact in this scan was that folks are still running pretty outdated versions. I can understand PHP has been there for long, but running version 3 on a public exposed web-server is not going to end well.

Version 3 and 4 are close to hitting 20 years in service which makes me wonder, if they are really running v3 & v4. Who knows, they might be masking their versions and presenting false info as part of their defense strategy or maybe they are really running those legacy versions.

PHP Upgrade Progress [2020]

PHPVatch
Top 40 TLD 2020 PHP Status

The above shown image is a representation of the Top 40 TLD’s and their leaky PHP versions.  Baring only one TLD, rest all of the TLD’s are pretty much hovering above 70%, indicating a strong and pending action item to migrate to safer versions.

It also clearly captures the level of work needed to reach the current stable and safe versions of PHP. Except for .DK TLD, none of the Top 20 were positive on having versions greater than or above version 7.2.

Interestingly .DE TLD was found to even come closer having both the percentages to be closer(57% – old and 43% updated).

Technology Used

Well, I fancy Python for all my scripting work ( sorry PHP fans ) and I tried to whip up a simple scanner to get the header information of the websites from the list.

Used the same combination as last year which was reasonably good enough to meet my requirements without demanding too much of infrastructure computing

power. It was the combination of RabbitMQ and Celery running my python scanner in a smooth manner which actually delighted me considering the initial failure. Flower

was one beautiful tool that I used for progress monitoring. Within

a couple of hours, I was able to get all the data.

With that, I would request your comments and do share if you have any feedback or improvements for the same. I would be more than happy to answer.

Happy New Year To You & All Your Family Members !

No Comments
Verified by MonsterInsights