The Journey To Migrate From PHP 5.x
The cybercriminal elements love old software and outdated platforms. It is their candy store, their toy store, as old outdated software is full of known vulnerabilities which hackers can exploit for their own purpose. This is happening every day, as not everyone running their personal device with the latest software and apps, maximizing the attack surfaced against their devices.
However, it is really a big deal if the software that is part of the website rendering is not involved in an update. One such opportunity for a potential hacking is the planned discontinuation of PHP v5.x, a very common scripting technology for many websites today. Websites built using PHP are critically recommended migrating away from version 5.x, with its latest version of the branch 5.6.x will end its support on Dec 31, 2018. With around 10 weeks, web developers need to migrate from their aging PHP 5.x to a never supported version, which as of this time is installed to 62% of all PHP sites at the time of this writing.
The option to remain means exposure to known vulnerabilities, which many hacking communities will be taking advantage of. By reverse engineering the patches and the newer version of PHP in comparison to the old version, the threat actors can find the areas of the software that the patch fixes, weaponizing the vulnerability in the process. As not all website running PHP 5.x will surely be updated by Jan 1, 2019, that means thousands of website will be opening themselves to hacking exploits and data breaches.
“This is a huge problem for the PHP ecosystem. While many feel that they can ‘get away with’ running PHP 5 in 2019, the simplest way to describe this choice is: Negligence. To be totally fair: It’s likely that any major, mass-exploitable flaw in PHP 5.6 would also affect the newer versions of PHP. PHP 7.2 will get a patch from the PHP team, for free, in a timely manner; PHP 5.6 will only get one if you’re paying for ongoing support from your OS vendor. If anyone finds themselves running PHP 5 after the end of the year, ask yourself: Do you feel lucky? Because I sure wouldn’t,” explained Scott Arciszewski, Paragon Initiative Enterprise’s Chief Development Officer.
PHP is a big part of the three biggest CMS (Content Management System) Software today, Drupal, Joomla, and WordPress. Out of the three, only Drupal was aggressive for pushing its users to adopt PHP 7.x, though unfortunately, it went outdated and unsupported since Dec 3, 2017. The web developer can easily update to the newest version without any complex actions in Drupal.
For Joomla and WordPress, the developers of the mentioned CMS have remained silent on their position when it comes to PHP 5.x’s obsolescence. “The biggest source of inertia in the PHP ecosystem regarding versions is undoubtedly WordPress, which still refuses to drop support for PHP 5.2 because there are more than zero systems in the universe that still run WordPress on an ancient, unsupported version of PHP,” added Arciszewski.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.