CyberNews researchers found more than 80,000 servers worldwide still running on outdated versions of PHP that are susceptible to hundreds of known vulnerabilities, making them easy prey to threat actors.
PHP is one of the most commonly used programming languages on the planet. It powers about 80% of the web, including popular content management systems like Drupal and WordPress. The main reason behind this is PHP’s open-source nature, lightweight structure, and developer-friendly yet powerful features.
However, like everything else on the web, applications based on outdated versions of PHP deployed on live servers are susceptible to hacking and cyberattacks. It makes the data stored on these applications and servers vulnerable to cybercriminals.
PHP is regularly evolving, and when developers use an outdated version of the language, they expose their websites to security risks. By abusing these unpatched versions, malicious actors could exploit known security vulnerabilities to gain unauthorized access to the sites, modify their content, and steal user data.
This means that, depending on the service it’s hosting, a single web server running an unpatched version of PHP can seriously impact thousands, if not millions of users around the world. Therefore, using the most recent version of PHP is highly highly recommended.
Sadly, known vulnerabilities found in unpatched applications powered by PHP - such as cross-site scripting (XSS) and SQL injection (SQLi) - are sometimes missed or ignored by overworked or less security-conscious developers.
In light of this, we at CyberNews decided to look at the numbers of vulnerable PHP web servers in the wild.
What we discovered was eye-opening: tens of thousands of web servers are still running outdated versions of PHP, with more than 80,000 being susceptible to hundreds of known vulnerabilities and ripe for being easily compromised by malicious actors.
You’d think that after years of massive breaches and devastating cyberattacks making the headlines, keeping essential software up to date would be a top priority for developers. Sadly, it seems that this isn’t always the case (to put it mildly), and this CyberNews investigation is the latest example of the widespread problem.
How we collected and analyzed the data
In order to carry out this investigation, we gathered a list of 20 different versions and subversions of PHP (from v3.0.0 to v7.4.3), and matched them with known Common Vulnerabilities and Exposures (CVEs) associated with those versions.
We then used an Shodan to look for open PHP web servers susceptible to known CVEs and investigated the results for statistical data.
From the initial results, we filtered out false positives and honeypots - decoy services or systems set up by security researchers that pose as targets for malicious actors.
Here’s what we found.
80,000+ PHP web servers are vulnerable to threat actors
As we can see, there are more than 80,000 vulnerable PHP web servers out in the wild. Worse still, these servers are broadcasting their PHP version publicly, for any threat actor to see and take advantage of.
While it might seem like a relatively small percentage when compared to the massive number of honeypots disguised as vulnerable servers, a nontrivial number of these PHP servers might host the data of thousands, if not millions of users.
“Outdated versions of PHP have been a significant security issue for a long time. PHP has been used to develop web applications for many years, and security vulnerabilities in PHP are regular occurrences needing an aggressive strategy to apply updates,” says Jacob Ansari, CISO of security and privacy compliance assessor Schellman & Company.
According to Ansari, the problem of PHP’s vulnerability to supply chain attacks was underscored by the recent discovery of a backdoor in PHP itself, where threat actors committed two malicious payloads to the PHP source code after infiltrating its main Git server.
"Attackers have shown that they can mount viable attack efforts against the open-source project that powers a significant proportion of websites on the Internet today, and the many years of precedent of ignoring PHP security fixes means that when a subsequent attempt is successful, few users of PHP will respond quickly or thoroughly,” says Ansari.
The most vulnerable PHP version
Practically, every PHP version is susceptible to more than one known vulnerability. However, most of those versions do not have publicly available exploits to date, making them less prone to be abused by cybercriminals who don’t possess the right tools.
That being said, PHP version 5.2.0 is the most vulnerable version to date, being susceptible to 178 different known vulnerabilities according to cvedetails.com. We identified 9,165 unpatched servers with this version, with most of those (1,845) based in Japan.
More than 30,000 vulnerable servers run this version of PHP
On the other hand, version 5.1.6 seems to be the most popular PHP version run by the vulnerable web servers, sporting a solid 145 known vulnerabilities. We found a whopping 30,024 servers running this particular outdated version of the programming language.
7.3.4, the latest version of PHP that we included in our investigation, runs a close second. Thankfully, PHP 7.3.4 is ‘only’ susceptible to 6 known vulnerabilities, making it much safer than 5.1.6. We identified 14,447 servers running PHP 7.3.4, and most of them (7,184) are in China.
5.2.0, the most vulnerable PHP version out there, was the third most popular of the bunch, with 178 vulnerabilities known to security experts, and 9,165 vulnerable servers scattered around the world.
Most common known PHP vulnerabilities
CVE-2015-4000 allows threat actors to conduct cipher-downgrade attacks and easily decrypt data stored on the server. Similarly, CVE-2015-0204 allows cybercriminals to use remote SSL servers in order to carry out RSA downgrade attacks and facilitate brute-force decryption.
This means that if any criminal worth their salt gets their hands on it, encrypted data stored on all of these vulnerable servers is potentially as unsafe as it being stored plain text.
It’s a trap: almost all honeypots run these PHP versions
Here’s an interesting, if somewhat less consequential, fact we learned during our investigation: all but eight honeypots we encountered during the investigation appear to be running on four versions of PHP: 3.0.0, 4.0.5, 5.1.1, and 5.3.0.
That said, they’re honeypots, which means that things may be radically different under the hood. In order to lure potential attackers, they may be broadcasting outdated versions on purpose, and in reality run different versions of PHP altogether.
According to CyberNews information security researcher Vincentas Baubonis, the vast majority of these honeypots are set up by researchers in order to observe cyberattacks or simply protect from spam.
“Many businesses, cybersecurity companies, as well as individual security enthusiasts and professionals create honeypots for research purposes,” says Baubonis. “The larger number of honeypots correlates with older PHP versions that are more popular and suffer from more known vulnerabilities, making it easier to log more types of attacks against them.”
With honeypots posing as 96% of vulnerable servers, some threat actors are much more likely to get their attack on a seemingly vulnerable PHP server caught and isolated by security researchers. Unfortunately, filtering out honeypots is not that difficult, and competent criminals usually manage to avoid them.
A simple solution to a widespread problem
When you're running a website, keeping an eye on every single security update can seem daunting.
Randolph Morris, CEO and founder of BitDevelopers, argues it would be naive to expect best practices from developers who don't specialize in cybersecurity: “Developers focus on getting products out to market as fast as possible. There is an inherent compromise between functionality and security and typically functionality and ease of use win. Also, sometimes there is functionality within a language that is uncommonly susceptible to exploit but is used in a system because it provides a faster path to provide some functionality.”
Stephen Twomey, CTO of Kennected, adds that many developers are hesitant to update their PHP versions because updates can break features and lead to code instability. “In many cases, they’ll wait as long as possible until proper testing and updating have been done to the new version,” says Twomey.
As a result, leaving your software unpatched makes you a sitting duck for malicious actors, and can come back to haunt you in more ways than one. With so many easy targets, cybercriminals need not bother going after websites that have even basic security in place. And the number of servers running ancient versions of PHP that are suffering from hundreds of known vulnerabilities is testament to the staggering scale of this problem.
According to Morris, many of those vulnerable servers may in fact be already compromised. “In the old days, hackers used to like to let it be known they had taken over a server. But once the server admin realized their server was compromised, they would get rid of the vulnerabilities and flush out the hacker,” Morris told CyberNews. “Now we have persistent threats, which mean hackers operate slowly and long term. This also has the benefit of helping evade automated detection systems like IDS/IPS.”
While it would be difficult to ascertain how many of the vulnerable servers may have been infected by undetected malware payloads, the thought itself is quite sobering.
Granted, not all of the known vulnerabilities have been publicly exploited to date, but those that have continue to pose huge risks for the fans of the ‘Remind me tomorrow’ button.
“The fact that some of the versions we investigated have over 150 different vulnerabilities points to a massive risk of getting your corporate and personal data compromised if you choose to run PHP versions that are so old and vulnerable,” says Baubonis.
At the end of the day, it seems that between hundreds of thousands of exposed cameras and tens of thousands of vulnerable servers, cybercriminals have their work cut out for them.
The solution to this particular problem is rather simple: keeping software up to date will not only make you and your users much safer, but will also save you about $2.6 million, which is the average cost of a cyberattack. In other words, staying up to date is definitely worth the hassle.
More from CyberNews:
A guide to best secure web hosting providers in 2021
Best website builders in 2021: build your own website hassle free