[wp-hackers] php 5.5.0 is out........

Bryan Petty bryan at ibaku.net
Sat Jun 22 07:48:05 UTC 2013

On Fri, Jun 21, 2013 at 7:38 PM, Paolo Tresso
<paolo.tresso at swergroup.com> wrote:
> An impressive number of hosting providers does have really bad practices
> about that, either because their server imaging system isn't so easy to
> upgrade and deploy (this happen mainly with pre-cloud providers with
> real machines) or because their hosting system requires server admins to
> compile each time a fresh Apache + PHP stack (like CPanel).

This isn't the problem at all. All of the major hosting companies
using cPanel (and other control panels) offer multiple versions of PHP
at the customer's choice, and multiple customers on the same server
are even running different versions of PHP (depending on what they're
hosting and it's requirements).

The fact is, all of them already have the choice to run PHP 5.4 (and
likely 5.5 very soon), but (in the case of shared hosting) it's up to
the customer to take responsibility for upgrading themselves when they
know the software they have chosen to use supports newer versions of
PHP. You might also be surprised to learn that quite a lot of
perfectly healthy websites out there wont work on PHP 5.3+.

I can assure you that the hosting companies still providing 5.2 are
monitoring the health of those accounts, and are weighing the costs of
breaking a large percentage of their customers' sites when being
forced to upgrade versus letting those sites be hacked if security
becomes a problem. Eventually, they will drop support for 5.2 entirely
and automatically upgrade everyone to 5.3, but honestly, most exploits
out there for 5.2.17 require some very specific and rare conditions to
be met before anything is exposed. Very few sites still on 5.2 are
actually in any danger, assuming the software itself (not PHP) is
secure. Most of the time, it's the custom scripts and web applications
you have to worry about, not PHP, and upgrading PHP (assuming it still
works) usually won't even solve the types of security issues they
should be worried about.

Try finding a linux-based global attack vector that poses a serious
threat and works everywhere from this list [1]. There's only DoS
attacks that work regardless of the PHP scripts installed, and not
only are those easily detected and mitigated by hosting companies
without any serious damage done, but they are also always possible
even with the latest version of PHP anyway (it's just harder to pull

[1] http://www.cvedetails.com/version/106044/PHP-PHP-5.2.17.html

> I've seen on twitter that some WP core developers would like to push for
> PHP 5.3 base support in the next major release, hope it's real, it's
> about time :-)

This won't happen in 3.7 or 3.8, and likely not even in 3.9. It would
be great, and everyone would love to be able to use the newer features
of PHP (hence why devs love to rant about it), however, none of those
features are mandatory, and absolutely none of them are worth leaving
60% (let alone 20%) of WordPress users in the dark with an old,
insecure version of WordPress just because they haven't upgraded their
hosting (or can't).

Bryan Petty

More information about the wp-hackers mailing list