PHP Version Check - Cold LAMPin' Your IT

post-thumb

Running a LAMP server used to be what the cool kids did. Nowadays, cold lampin’ it ain’t cutting it no more.

Setting the Cultural Context

To me, “It Takes a Nation of Millions to Hold Us Back” represents the epitome of rap music that speaks out about the cultural division of US society, which has only polarized in recent years. Why I dare say that I know something about it in practice, is the fact that to me, a white, privileged Nordic teenager, living in the periphery of Detroit in 1990 highlighted the the black versus white dichotomy in a concrete way:

  • affluent versus poor
  • country club buffets versus food stamps.

More importantly, the lyrics of Carlton Douglas Ridenhour, have been the cultural inspiration for the name of this blog, Public Exposure. In a sense, he represents the attitude to speak out cold truths about the reality in which you live in, which in the context of this blog relates to the poor state of cyber security of the Internet as a whole.

LAMP: Linux, Apache, MySQL, PHP

LAMP used to represent the open source, alternative way of serving web content on the Internet. In the dotcom boom and its aftermath using LAMP instead of a commercial web server made it easy for anyone to build dynamic web applications that were self-hosted and affordable.

To draw a parallel into the early days of underground rap music, cold lampin’ meant:

Tapping into the electrical wires of a street light to power DJ and MC equipment, and sound system, for the use of underground hip-hop performances and battles.

but also in the words of Flavor Flav:

I aint doin nothin but cold lampin'.

which can be thought of as hanging out with your friends and doing nothing in particular – just chilling.

Why You Must not Cold LAMP your IT

I’m a sysadmin through and through. For me, letting your IT just hang out there unattended for years sounds like a nice recipe for disaster. In the inaugural post for this blog, I touched upon publicly exposed MySQL/MariaDB backends. In a more recent write-up, I looked at the obsolescence of the most famous LAMP server of them all, namely Wordpress.

This time around, we will turn the cyber security eye of Sauron towards PHP itself, which according to the definition of the PHP project is:

A popular general-purpose scripting language that is especially suited to web development. Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world.

A Brief History of PHP Releases

From the perspective of PHP release history, at present the version support timeline is as follows:

  • Support for PHP 3 has been discontinued since 2000-10-20.
  • Support for PHP 4 has been discontinued since 2008-08-07.
  • Support for PHP 5 has been discontinued since 2019-01-10.
  • PHP 6 never saw the light of day.
  • PHP 7.2 was deprecated on 2020-10-01
  • PHP 7.3 was deprecated on 2021-11-18.

PHP Version Distribution

What does the deployed PHP version distribution look like in practice?

The version distribution of PHP instances over a sample of 10k hosts.
The version distribution of PHP instances over a sample of 10k hosts.

Looking at a sample of 10k hosts, it is possible to discern that:

  1. Only 1/3 of the PHP instances on the web are running an officially supported version (7.4 - 8.1).
  2. 1/3 is running an unsupported version of PHP (7.0 - 7.3).
  3. 1/3 is running an obsolete version of PHP (4.0 - 5.6).

So in the cold light of day, these numbers represent the biggest failure of the LAMP paradigm, namely poor maintainability. This is especially true, when you cross-reference the release timeline against PHP vulnerabilites. In addition, poor maintainability is often a result of PHP applications being written strictly against the components of a given version and that the application has not been maintained, i.e. kept up with the changes of PHP itself.

LAMP, an obsolete paradigm?

In their daily quest for clickbait content, (mainstream) media covering cyber security tends towards the exploit du jour, the exploit of the day. LAMP instances silently rotting away rarely make the headlines, unless there is a cataclysmic flaw in a given version of PHP or a major site is impacted. Even then the buzz lasts only for a given news cycle, whereafter the attention of the eye of Sauron turns elsewhere.

My main motivation for this write-up is to raise awareness of the fact that the Internet is a harsh place and if you want to run a dedicated LAMP server on your own and keep it secure over time, it is a very involved process. To save you from unnecessary headaches, I would recommend turning away from the paradigm unless you are able to walk the walk.

Very often, static content is served over unnecessarily complex tech stacks. Static code generators such as Hugo, can make your life a lot easier. They, after all, take the complexity out of reach for the direct exploitation mechanisms and thus raise the bar for the attacker. At the end of the day, this contrast between LAMP servers and static code generators underlines what minimizing your attack surface can mean in practice.

That is why the phrase I coined for this post, cold LAMPin’ your IT, could be defined as follows:

To operate a complex, often dedicated technology stack with a large attack surface instead of a modern, simpler one, which in turn presents a reduced attack surface to the Internet.

In the long run, Cold LAMPin’ your IT is akin to ending up in a rap battle with a Yoda level rapper such as Flavor Flav and the only likeness you have with Eminem are your mom’s spaghetti stains on a Music Band sweatshirt.

Give Us Feedback or Subscribe to Our Newsletter

If this post pushed your buttons one way or another, then please give us some feedback below. The easiest way to make sure that you will not miss a post is to subscribe to our monthly newsletter. We will not spam you with frivolous marketing messages either, nor share your contact details with nefarious marketing people. 😉

comments powered by Disqus