When I hear the terms PHP-Selector or MultiPHP in the context of shared web hosting, this usually causes me to cringe a little bit. To be fair, there’s really nothing wrong with being able to select different PHP releases, my main gripe is with the ability to select old and outdated releases of PHP using these methods.
To better understand this, consider the lifetimes of a particular version of the PHP language. PHP, as some of you may be aware, is a web programming language. PHP is developed by the folks over at php.net and they release new versions from time to time. Typically a PHP release version (i.e. PHP version X.Y) will have a lifetime of about 3 years. During that lifetime various security releases may be released (i.e. PHP version X.Y.aa). These security releases rarely change any functionality but serve to fix security holes that have been discovered in those releases.
Why is end-of-life important? We covered that in a blog post back in October 2013. Basically, programmers and developers eventually have to end support for something so they can move on to bigger and better things. When a PHP release reaches end-of-life, that means it’s no longer being actively developed or maintained by the PHP developers – who are the ones that created it.
So this begs the question, from a pure security perspective, why should any end-of-life release of PHP be used? And that’s a very good question. The answer is that it shouldn’t be used. At the time of this blog post (September 2016), two PHP relases remain in life, PHP 5.6 and PHP 7.0 (see http://php.net/supported-versions.php). What this effectively means, is that as far as the PHP developers are concerned, PHP 5.6 and PHP 7.0 are the only releases that should be used. Yet, the web hosting industry is littered with PHP Selectors and MultiPHP systems that allow:
• PHP 5.5 (end-of-life: July 2016 – 2 months ago)
• PHP 5.4 (end-of-life: September 2016 – 1 year ago)
• PHP 5.3 (end-of-life: August 2014 – 2 years ago)
• PHP 5.2 (end-of-life: January 2011 – 5.5 years ago)
• PHP 5.1 (end-of-life: August 2006 – 10 years ago)
• PHP 5.0 (end-of-life: September 2005 – 11 years ago)
and more being made available. Why?
A common refrain I see for reasoning this is – “My script does not work on the latest release of PHP”. This is probably true, but instead of caving in and looking for a one-click easy solution of providing an outdated release of PHP, why not ask: “Is the script up-to-date and being kept up-to-date?”
We have already detailed in a previous blog post how the so-called Panama Papers were compromised due to the fact that the law firm holding the papers was using outdated versions of WordPress and Drupal on their website. So if you want to keep your website and the information behind your website safe, keeping your scripts up-to-date is one of the best thing you can do. Also worth mentioning is that a hacked or compromised script can have adverse affects for other users on a shared hosting server. If a website is hacked and compromised on a server and used to send out spam, that can have an adverse affect on other websites hosted on that shared hosting server..
So if you are using a script or CMS that does not work on current and supported releases of PHP, then that should tell you that the script or CMS you are using is out-of-date. If your script or CMS is out-of-date, it really doesn’t matter how patched up or hardened the underlying PHP release is, if your script or CMS is out-of-date, chances are great that it is vulnerable to some type of security exploit, and no amount of hardening of the underlying PHP release is going to protect you.
Being able to select old releases of PHP to allow you to continue to run your outdated script or CMS may look nice. It may allow you to keep your website up longer without any intervention on your part. But please understand, it’s just masking the problem that your script or CMS may be vulnerable to a much larger and much heavier attack. Hosting companies and administrators that suggest using these out-of-date PHP releases as a solution to your problem, either don’t understand enough, or don’t care about the security of your website or the well-being of other customers on the server and instead are just looking for an easy fix.