Halloween may be over but enterprises running PHP version 5 could face a house of horrors year round.
According to recent data from W3Techs, PHP is in use in nearly 80% of all websites, and the majority of instances use PHP v5 -- which is due for end of life at the end of 2018.
PHP, which is an open source scripting language, is used by 78.9% of websites, according to data company W3Techs. PHP v5 is used by 61.6% of all websites. However, security support for PHP 5.x ends on Dec. 31, 2018, so starting in the new year, all sites running the outdated PHP 5.x or older will be at risk to any and all security vulnerabilities that would affect the script language.
Security professionals have been aware of the looming deadline for a while, and the 2018 deadline was actually an extension from the previous end of security support deadline. The most current version, PHP 7.2 was release in November 2017 and will only receive security support until the end of 2020. However, 5.6, which was initially released in August 2014, is still the most widely used version.
While there hasn't been a major effort to get content management systems users to upgrade to a more current and supported version of PHP, Drupal took a step at the beginning of 2018 to require that users implement PHP 7 or higher starting March 2019 -- which is still after the end of life date for PHP 5.x.
But neither of Drupal's major competitors, WordPress or Joomla, has taken any steps to implement such a requirement. Joomla's minimal requirement is PHP 5.3 and WordPress's minimal requirement is 5.2. While WordPress hasn't insisted its users to upgrade to a supported version of PHP, it does have a support page that says an upgrade can make a user's site faster and more secure.
"Updating your PHP version should not be a problem, but we can't guarantee that it's not," WordPress wrote. "WordPress itself will work with PHP versions as far back as 5.2 (we're recommending version 7.2 at the time of writing, so this is great backward compatibility!), but we don't know if your themes or plugins will work."
The threat outdated PHP
PHP's recent history is littered with a variety of security vulnerabilities. Research done in 2015 by Google developer advocate Anthony Ferrara found that 78% of PHP installs were considered insecure, and there are 577 CVEs logged since the early days of the programming language in 1999. There have been 13 in 2018, though most apply to old and new versions of PHP. One of the worst recent vulnerabilities was found in March 2018 -- CVE-2018-7584 -- and could have enabled an attacker to execute arbitrary code in most versions of current and outdated PHP, though no active exploits were found in the wild.
In 2017, there were 43 total recorded security vulnerabilities with PHP, all of which affected either PHP v5 or PHP v7, or both. Of those, 21 have a severity rating of 7 or greater.
In a presentation at Black Hat 2018, security researcher Sam Thomas of Secarma Labs detailed research on a new PHP attack technique. With this technique, attackers can take advantage of XXE vulnerabilities in outdated PHP and cause data to become unserialized -- that is, an object is injected into the data and then loaded into an application. An attacker could take advantage of unserialized data and remotely execute arbitrary malicious code.
While the large majority of sites that use PHP are using outdated PHP versions, it would be too difficult for a lot of organizations to update because it would mean concurrent updates to production, development and testing environments, according to Johannes Dahse, CEO of RIPS Technologies. In 2017, Dahse also outlined in a blog post how memory corruption flaws in PHP can affect the security of application. The bug takes advantage of the PHP core, and while PHP is updated with relative frequency, it can still be used against sites that don't use the latest version.
"In order to fully protect your application against adversaries, staying ahead of the arms race and applying security patches is crucial," Dahse wrote. "Even if your code is securely written, leveraged PHP features may be still vulnerable to attacks."
There has been no indication of whether or not a new version of PHP is on its way to take the place of all the soon-to-be outdated versions.