After yesterday’s post, I decided to do some math to see how many PHP installs had at least 1 known security vulnerability. So I went to grab statistics from W3Techs, and correlated that with known Linux Distribution supported numbers. I then whipped up a spreadsheet and got some interesting numbers out of it. So interesting, that I need to share…
UPDATE:
Wow, this post got traction pretty fast. I started applying the same analysis to other platforms (where w3techs had data). Rather than doing a new post, I’ll just like the raw data in a Google Sheet (If you want to edit, just duplicate the sheet. Everything is formula driven so update away).
So, what’s the breakdown?
| Platform | % Installs That Are Secure |
|---|---|
| Perl | 82.27% |
| Python | 77.59% |
| Nginx | 64.48% |
| Apache | 61.96% |
| WordPress | 60.45% |
| Drupal | 45.23% |
| PHP | 25.94% |
Note that the PHP version numbers are slightly higher than in the rest of this post. This is due to adding Fedora, as well as 5.4.34 to Debian 7 support list (over-counting Debian 7 again).
What Is A Secure And Supported Version?
Well, for purposes of this analysis, we’ll call versions that have no known vulnerabilities (more recent than the most recent security release) secure.
That gives us the following secure versions:
- 5.6.4
- 5.5.20
- 5.4.36
We’ll also count those that are maintained by Linux distributions in supported releases. For example, Debian 5.0 is no longer maintained, so the version of PHP it ships with is considered no longer supported or secure (5.2.6).
So that brings us with the following table:
| Distribution | Distro Version | PHP Version |
|---|---|---|
| Debian | 7 (Wheezy) | 5.4.4 |
| Debian | 6 (Squeeze) | 5.3.3 |
| Ubuntu | 14.10 (Utopic) | 5.5.12 |
| Ubuntu | 14.04 (Trusty) | 5.5.9 |
| Ubuntu | 12.04 (Precise) | 5.3.10 |
| Ubuntu | 10.04 (Lucid) | 5.3.2 |
| CentOS | 7.0 | 5.4.16 |
| CentOS | 6.6 | 5.3.3 |
| CentOS | 5.11 | 5.1.6 |
Now, for our purposes, we’ll assume that any 5.4.4 install will be secure, since we can’t distinguish Debian versions (supported) from non-Debian installs (unsupported).
This means that our “secure” numbers will be over-inflated. But let’s plug it in and see what happens.
So that means our total list of secure PHP versions (with no known vulnerabilities) is:
So, looking at the W3Techs numbers, we can see that 5.6 has a total adoption rate of 0.4%. This means that 0.4% of all PHP installs use 5.6.x. So let’s look at the breakdown:
| Version | % Of Minor | % Of Total | Secure? |
|---|---|---|---|
| 5.6.4 | 6.7 | 0.0268 | Yes |
| 5.6.3 | 29.1 | 0.1164 | No |
| 5.6.2 | 31.8 | 0.1272 | No |
| 5.6.1 | 5.2 | 0.0208 | No |
| 5.6.0 | 27.2 | 0.1088 | No |
So, 6.7% of all PHP 5.6 installs are running 5.6.4, and are therefore secure (since it’s the only secure and maintained PHP 5.6 version).
So, correlating that to our list of secure PHP versions, we come up with the following breakdown for 5.6:
| Type | % Of Minor | % Of Total |
|---|---|---|
| Secure 5.6 | 6.7 | 0.0268 |
| Insecure 5.6 | 93.3 | 0.3732 |
So only 6.7% of PHP 5.6 installs are running secure versions. And only 0.0268% of all PHP installs are running a secure version of PHP 5.6…
PHP 5.5
PHP 5.5 is a bit more interesting, with a total adoption of 6%. And there are a lot more releases to look at:
| Version | % Of Minor | % Of Total | Secure? |
|---|---|---|---|
| 5.5.20 | 3.6 | 0.216 | Yes |
| 5.5.19 | 14.2 | 0.852 | No |
| 5.5.18 | 14.2 | 0.852 | No |
| 5.5.17 | 5.6 | 0.336 | No |
| 5.5.16 | 4.5 | 0.27 | No |
| 5.5.15 | 3.3 | 0.198 | No |
| 5.5.14 | 2.9 | 0.174 | No |
| 5.5.13 | 1.8 | 0.108 | No |
| 5.5.12 | 2.7 | 0.162 | Yes |
| 5.5.11 | 2.9 | 0.174 | No |
| 5.5.10 | 1.6 | 0.096 | No |
| 5.5.9 | 30.3 | 1.818 | Yes |
| 5.5.8 | 3.2 | 0.192 | No |
| 5.5.7 | 1.4 | 0.084 | No |
| 5.5.6 | 1.1 | 0.066 | No |
| 5.5.5 | 0.6 | 0.036 | No |
| 5.5.4 | 0.5 | 0.03 | No |
| 5.5.3 | 4.3 | 0.258 | No |
| 5.5.2 | 0.1 | 0.006 | No |
| 5.5.1 | 0.6 | 0.036 | No |
| 5.5.0 | 0.6 | 0.036 | No |
Things look a bit better here.
| Type | % Of Minor | % Of Total |
|---|---|---|
| Secure 5.5 | 36.6 | 2.196 |
| Insecure 5.5 | 63.4 | 3.804 |
Our total increased here. 33.6% of all 5.5 installs are running secure versions. This is MUCH better than 5.6, but still horrifically low…
PHP 5.4
With PHP 5.4 we again see a huge jump in overall adoption at 26.4% of all PHP installs. So let’s break it down by version:
| Version | % Of Minor | % Of Total | Secure? |
|---|---|---|---|
| 5.4.36 | 0.9 | 0.2376 | Yes |
| 5.4.35 | 20.8 | 5.4912 | No |
| 5.4.34 | 17.4 | 4.5936 | No |
| 5.4.33 | 6.7 | 1.7688 | No |
| 5.4.32 | 5.5 | 1.452 | No |
| 5.4.31 | 4.4 | 1.1616 | No |
| 5.4.30 | 4.6 | 1.2144 | No |
| 5.4.29 | 3.5 | 0.924 | No |
| 5.4.28 | 3.1 | 0.8184 | No |
| 5.4.27 | 3.6 | 0.9504 | No |
| 5.4.26 | 2.9 | 0.7656 | No |
| 5.4.25 | 1.9 | 0.5016 | No |
| 5.4.24 | 2.7 | 0.7128 | No |
| 5.4.23 | 1.9 | 0.5016 | No |
| 5.4.22 | 1.3 | 0.3432 | No |
| 5.4.21 | 1.1 | 0.2904 | No |
| 5.4.20 | 1.2 | 0.3168 | No |
| 5.4.19 | 1 | 0.264 | No |
| 5.4.18 | 0.3 | 0.0792 | No |
| 5.4.17 | 1.2 | 0.3168 | No |
| 5.4.16 | 1.6 | 0.4224 | Yes |
| 5.4.15 | 0.3 | 0.0792 | No |
| 5.4.14 | 0.6 | 0.1584 | No |
| 5.4.13 | 0.3 | 0.0792 | No |
| 5.4.12 | 0.4 | 0.1056 | No |
| 5.4.11 | 0.4 | 0.1056 | No |
| 5.4.10 | 0.2 | 0.0528 | No |
| 5.4.9 | 0.7 | 0.1848 | No |
| 5.4.8 | 0.2 | 0.0528 | No |
| 5.4.7 | 0.4 | 0.1056 | No |
| 5.4.6 | 0.7 | 0.1848 | No |
| 5.4.5 | 0.1 | 0.0264 | No |
| 5.4.4 | 8.1 | 2.1384 | Yes |
| 5.4.3 | 0.1 | 0.0264 | No |
| 5.4.2 | 0 | 0 | No |
| 5.4.1 | 0 | 0 | No |
| 5.4.0 | 0.1 | 0.0264 | No |
Things look far more grim again here:
| Type | % Of Minor | % Of Total |
|---|---|---|
| Secure 5.4 | 10.6 | 2.7984 |
| Insecure 5.4 | 89.6 | 23.6544 |
Note here that the total is 100.2%. This is due to precision errors in the figures reported by W3Techs. But it shouldn’t affect our overall figures.
So 89.6% of 5.4 installs are vulnerable. Yay.
PHP 5.3
Now we get to the big one. Accounting for a whopping 45.9% of all PHP installs, 5.3 hits big. So let’s look at the numbers:
| Version | % Of Minor | % Of Total | Secure? |
|---|---|---|---|
| 5.3.29 | 23.7 | 10.8783 | No |
| 5.3.28 | 15.5 | 7.1145 | No |
| 5.3.27 | 7.2 | 3.3048 | No |
| 5.3.26 | 2.4 | 1.1016 | No |
| 5.3.25 | 0.9 | 0.4131 | No |
| 5.3.24 | 1 | 0.459 | No |
| 5.3.23 | 1.5 | 0.6885 | No |
| 5.3.22 | 0.6 | 0.2754 | No |
| 5.3.21 | 0.8 | 0.3672 | No |
| 5.3.20 | 0.6 | 0.2754 | No |
| 5.3.19 | 0.8 | 0.3672 | No |
| 5.3.18 | 0.9 | 0.4131 | No |
| 5.3.17 | 1 | 0.459 | No |
| 5.3.16 | 0.5 | 0.2295 | No |
| 5.3.15 | 0.9 | 0.4131 | No |
| 5.3.14 | 0.6 | 0.2754 | No |
| 5.3.13 | 3.2 | 1.4688 | No |
| 5.3.12 | 0 | 0 | No |
| 5.3.11 | 0 | 0 | No |
| 5.3.10 | 9 | 4.131 | Yes |
| 5.3.9 | 0.3 | 0.1377 | No |
| 5.3.8 | 1.5 | 0.6885 | No |
| 5.3.7 | 0 | 0 | No |
| 5.3.6 | 1.2 | 0.5508 | No |
| 5.3.5 | 0.7 | 0.3213 | No |
| 5.3.4 | 0.1 | 0.0459 | No |
| 5.3.3 | 22.6 | 10.3734 | Yes |
| 5.3.2 | 2.3 | 1.0557 | Yes |
| 5.3.1 | 0.1 | 0.0459 | No |
| 5.3.0 | 0.1 | 0.0459 | No |
The case here is almost identical to 5.5:
| Type | % Of Minor | % Of Total |
|---|---|---|
| Secure 5.3 | 33.9 | 15.5601 |
| Insecure 5.3 | 66.1 | 30.3399 |
Not much else to comment on here.
PHP 5.2
Note that PHP 5.2 is not maintained by any current release of any of the 3 main distributions. Therefore, we can safely skip the version-by-version breakdown and jump right to the conclusion:
| Type | % Of Minor | % Of Total |
|---|---|---|
| Secure 5.2 | 0 | 0 |
| Insecure 5.2 | 100 | 20.1 |
PHP 5.1
PHP 5.1 accounts for 1.2% of all PHP installs. So let’s break it down:
| Version | % Of Minor | % Of Total | Secure? |
|---|---|---|---|
| 5.1.6 | 94.8 | 1.1376 | Yes |
| 5.1.5 | 0.2 | 0.0024 | No |
| 5.1.4 | 1.4 | 0.0168 | No |
| 5.1.3 | 0 | 0 | No |
| 5.1.2 | 3.1 | 0.0372 | No |
| 5.1.1 | 0.4 | 0.0048 | No |
| 5.1.0 | 0 | 0 | No |
And totaling:
| Type | % Of Minor | % Of Total |
|---|---|---|
| Secure 5.1 | 94.8 | 1.1376 |
| Insecure 5.1 | 5.2 | 0.0624 |
So the situation here is actually quite good, with 94.8% of all 5.1 installs being secure.
But it’s 5.1…
Totalling It Up:
Let’s sum up all of the total columns:
| Type | % Of Total |
|---|---|
| Secure | 21.71 |
| Insecure | 78.27 |
These numbers are optimistic. That’s because we’re counting all version numbers that are maintained by a distribution as secure, even though not all installs of that version number are going to be from a distribution. Just because 5.3.3 is maintained by CentOS and Debian doesn’t mean that every install of 5.3.3 is maintained. There will be a small percentage of installs that are from-source.
Therefore, the real “secure” number is going to be less than quoted.
Additionally, it also assumes that the distribution installs are always updated. So just because you’re running Debian’s 5.3.3 doesn’t mean you’ve got all of the latest patches and updates for it.
So 21.71% is an upper bound on the number of secure installs.
This Is Pathetic
This is absolutely and unequivocally pathetic. This means that over 78% of all PHP installs have at least one known security vulnerability. Pathetic.
Check your installed versions. Push for people to update. Don’t accept “if it works, don’t fix it.”… You have the power to change this, so change it.
Security is everyone’s problem. What matters is how you deal with it.