PHP Install Statistics

PHP
  1. 1. UPDATE:
  2. 2. What Is A Secure And Supported Version?
  3. 3. PHP 5.6
  4. 4. PHP 5.5
  5. 5. PHP 5.4
  6. 6. PHP 5.3
  7. 7. PHP 5.2
  8. 8. PHP 5.1
  9. 9. Totalling It Up:
  10. 10. This Is Pathetic

After yesterday’s post, I decided to do some math to see how many PHP installs had at least 1 known security vulnerability. So I went to grab statistics from W3Techs, and correlated that with known Linux Distribution supported numbers. I then whipped up a spreadsheet and got some interesting numbers out of it. So interesting, that I need to share…

UPDATE:

Wow, this post got traction pretty fast. I started applying the same analysis to other platforms (where w3techs had data). Rather than doing a new post, I’ll just like the raw data in a Google Sheet (If you want to edit, just duplicate the sheet. Everything is formula driven so update away).

So, what’s the breakdown?

Platform% Installs That Are Secure
Perl82.27%
Python77.59%
Nginx64.48%
Apache61.96%
WordPress60.45%
Drupal45.23%
PHP25.94%

Note that the PHP version numbers are slightly higher than in the rest of this post. This is due to adding Fedora, as well as 5.4.34 to Debian 7 support list (over-counting Debian 7 again).

What Is A Secure And Supported Version?

Well, for purposes of this analysis, we’ll call versions that have no known vulnerabilities (more recent than the most recent security release) secure.

That gives us the following secure versions:

  • 5.6.4
  • 5.5.20
  • 5.4.36
    We’ll also count those that are maintained by Linux distributions in supported releases. For example, Debian 5.0 is no longer maintained, so the version of PHP it ships with is considered no longer supported or secure (5.2.6).

So that brings us with the following table:

DistributionDistro VersionPHP Version
Debian7 (Wheezy)5.4.4
Debian6 (Squeeze)5.3.3
Ubuntu14.10 (Utopic)5.5.12
Ubuntu14.04 (Trusty)5.5.9
Ubuntu12.04 (Precise)5.3.10
Ubuntu10.04 (Lucid)5.3.2
CentOS7.05.4.16
CentOS6.65.3.3
CentOS5.115.1.6

Now, for our purposes, we’ll assume that any 5.4.4 install will be secure, since we can’t distinguish Debian versions (supported) from non-Debian installs (unsupported).

This means that our “secure” numbers will be over-inflated. But let’s plug it in and see what happens.

So that means our total list of secure PHP versions (with no known vulnerabilities) is:

  • 5.6.4
  • 5.5.20
  • 5.5.12
  • 5.5.9
  • 5.4.36
  • 5.4.16
  • 5.4.4
  • 5.3.10
  • 5.3.3
  • 5.3.2
  • 5.1.6

    PHP 5.6

So, looking at the W3Techs numbers, we can see that 5.6 has a total adoption rate of 0.4%. This means that 0.4% of all PHP installs use 5.6.x. So let’s look at the breakdown:

Version% Of Minor% Of TotalSecure?
5.6.46.70.0268Yes
5.6.329.10.1164No
5.6.231.80.1272No
5.6.15.20.0208No
5.6.027.20.1088No

So, 6.7% of all PHP 5.6 installs are running 5.6.4, and are therefore secure (since it’s the only secure and maintained PHP 5.6 version).

So, correlating that to our list of secure PHP versions, we come up with the following breakdown for 5.6:

Type% Of Minor% Of Total
Secure 5.66.70.0268
Insecure 5.693.30.3732

So only 6.7% of PHP 5.6 installs are running secure versions. And only 0.0268% of all PHP installs are running a secure version of PHP 5.6…

PHP 5.5

PHP 5.5 is a bit more interesting, with a total adoption of 6%. And there are a lot more releases to look at:

Version% Of Minor% Of TotalSecure?
5.5.203.60.216Yes
5.5.1914.20.852No
5.5.1814.20.852No
5.5.175.60.336No
5.5.164.50.27No
5.5.153.30.198No
5.5.142.90.174No
5.5.131.80.108No
5.5.122.70.162Yes
5.5.112.90.174No
5.5.101.60.096No
5.5.930.31.818Yes
5.5.83.20.192No
5.5.71.40.084No
5.5.61.10.066No
5.5.50.60.036No
5.5.40.50.03No
5.5.34.30.258No
5.5.20.10.006No
5.5.10.60.036No
5.5.00.60.036No

Things look a bit better here.

Type% Of Minor% Of Total
Secure 5.536.62.196
Insecure 5.563.43.804

Our total increased here. 33.6% of all 5.5 installs are running secure versions. This is MUCH better than 5.6, but still horrifically low…

PHP 5.4

With PHP 5.4 we again see a huge jump in overall adoption at 26.4% of all PHP installs. So let’s break it down by version:

Version% Of Minor% Of TotalSecure?
5.4.360.90.2376Yes
5.4.3520.85.4912No
5.4.3417.44.5936No
5.4.336.71.7688No
5.4.325.51.452No
5.4.314.41.1616No
5.4.304.61.2144No
5.4.293.50.924No
5.4.283.10.8184No
5.4.273.60.9504No
5.4.262.90.7656No
5.4.251.90.5016No
5.4.242.70.7128No
5.4.231.90.5016No
5.4.221.30.3432No
5.4.211.10.2904No
5.4.201.20.3168No
5.4.1910.264No
5.4.180.30.0792No
5.4.171.20.3168No
5.4.161.60.4224Yes
5.4.150.30.0792No
5.4.140.60.1584No
5.4.130.30.0792No
5.4.120.40.1056No
5.4.110.40.1056No
5.4.100.20.0528No
5.4.90.70.1848No
5.4.80.20.0528No
5.4.70.40.1056No
5.4.60.70.1848No
5.4.50.10.0264No
5.4.48.12.1384Yes
5.4.30.10.0264No
5.4.200No
5.4.100No
5.4.00.10.0264No

Things look far more grim again here:

Type% Of Minor% Of Total
Secure 5.410.62.7984
Insecure 5.489.623.6544

Note here that the total is 100.2%. This is due to precision errors in the figures reported by W3Techs. But it shouldn’t affect our overall figures.

So 89.6% of 5.4 installs are vulnerable. Yay.

PHP 5.3

Now we get to the big one. Accounting for a whopping 45.9% of all PHP installs, 5.3 hits big. So let’s look at the numbers:

Version% Of Minor% Of TotalSecure?
5.3.2923.710.8783No
5.3.2815.57.1145No
5.3.277.23.3048No
5.3.262.41.1016No
5.3.250.90.4131No
5.3.2410.459No
5.3.231.50.6885No
5.3.220.60.2754No
5.3.210.80.3672No
5.3.200.60.2754No
5.3.190.80.3672No
5.3.180.90.4131No
5.3.1710.459No
5.3.160.50.2295No
5.3.150.90.4131No
5.3.140.60.2754No
5.3.133.21.4688No
5.3.1200No
5.3.1100No
5.3.1094.131Yes
5.3.90.30.1377No
5.3.81.50.6885No
5.3.700No
5.3.61.20.5508No
5.3.50.70.3213No
5.3.40.10.0459No
5.3.322.610.3734Yes
5.3.22.31.0557Yes
5.3.10.10.0459No
5.3.00.10.0459No

The case here is almost identical to 5.5:

Type% Of Minor% Of Total
Secure 5.333.915.5601
Insecure 5.366.130.3399

Not much else to comment on here.

PHP 5.2

Note that PHP 5.2 is not maintained by any current release of any of the 3 main distributions. Therefore, we can safely skip the version-by-version breakdown and jump right to the conclusion:

Type% Of Minor% Of Total
Secure 5.200
Insecure 5.210020.1

PHP 5.1

PHP 5.1 accounts for 1.2% of all PHP installs. So let’s break it down:

Version% Of Minor% Of TotalSecure?
5.1.694.81.1376Yes
5.1.50.20.0024No
5.1.41.40.0168No
5.1.300No
5.1.23.10.0372No
5.1.10.40.0048No
5.1.000No

And totaling:

Type% Of Minor% Of Total
Secure 5.194.81.1376
Insecure 5.15.20.0624

So the situation here is actually quite good, with 94.8% of all 5.1 installs being secure.

But it’s 5.1…

Totalling It Up:

Let’s sum up all of the total columns:

Type% Of Total
Secure21.71
Insecure78.27

These numbers are optimistic. That’s because we’re counting all version numbers that are maintained by a distribution as secure, even though not all installs of that version number are going to be from a distribution. Just because 5.3.3 is maintained by CentOS and Debian doesn’t mean that every install of 5.3.3 is maintained. There will be a small percentage of installs that are from-source.

Therefore, the real “secure” number is going to be less than quoted.

Additionally, it also assumes that the distribution installs are always updated. So just because you’re running Debian’s 5.3.3 doesn’t mean you’ve got all of the latest patches and updates for it.

So 21.71% is an upper bound on the number of secure installs.

This Is Pathetic

This is absolutely and unequivocally pathetic. This means that over 78% of all PHP installs have at least one known security vulnerability. Pathetic.

Check your installed versions. Push for people to update. Don’t accept “if it works, don’t fix it.”… You have the power to change this, so change it.

Security is everyone’s problem. What matters is how you deal with it.