Still running an old version of PHP?

Posted by on March 20, 2014
 

An article posted today on arstechnica.com looks at a well-known and fixed vulnerability in PHP that is still being used to hijack sites. See
PHP bug allowing site hijacking still menaces Internet 22 months on

PHP versions prior to 5.3.12 and 5.4.2 are vulnerable. The Imperva blog post said that an estimated 16 percent of public websites are running a vulnerable version. People running susceptible versions should upgrade right away. Readers who visit vulnerable sites should notify the operators of the risk their site poses.

Of course, that 16% estimate should be taken with a grain of salt, since the exploit depends on calling PHP via the common gateway interface (CGI). Many sites on apache run it via mod_php. Other web servers, like nginx, use the newer FCGI or FPM to execute PHP. CGI seems to be common in shared hosting setups or those that use web based admin panels to handle server configuration.

If you are using version 5.3 its long past time to upgrade. Not only are you missing new language features like traits and short array syntax, but 5.4 had changes under the hood that improved performance by about 20% and also trimmed memory usage. Before you embark on an upgrade, be sure to read up on the backward incompatiblity changes in 5.4.

If you’re ready to make the leap to 5.5, you can read up on BC breaks here. If you need more details and advice, the March issue of php[architect] has a deep dive into the new features, and advice on how to put them to use today. We also have a look at the future of PHP by previewing what’s coming with the release of 5.6.

What if you are using an older distributions of linux, or those that are just slow in bundling the latest in their package repositories? I’ve used dotdeb.org to get newest version of PHP (and more) on Debian servers. Webtatic.com and other sources are available for CentOS.


About the author—Oscar still remembers downloading an early version of the Apache HTTP server at the end of 1995, and promptly asking "Ok, what's this good for?" He started learning PHP in 2000 and hasn't stopped since. He's worked with Drupal, WordPress, Zend Framework, and bespoke PHP, to name a few. Follow him on Google+.