I just did read an interesting article about security in php installs. You can find full article here.
It is an article about how many PHP installs had at least 1 known security vulnerability. You could think that most latest version of distribution is most secure but that is not the case. For example my php application is running on Ubuntu 12.04 (in Leaseweb)which has php 5.3.10 installed, quite old version but has no known security vulnerabilities. (Other secure 5.3 versions are 5.3.3 and 5.3.2).
Total 25,94% of php servers are running secure php version...
When running widely know software like for example Drupal(not me) are your website safe? Here is an interesting article. The most interesting part is that "Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."
Now to check if your install has the patch. Article continues: "If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site." Oh boy!
Maybe is better use more unknown platforms.
It is an article about how many PHP installs had at least 1 known security vulnerability. You could think that most latest version of distribution is most secure but that is not the case. For example my php application is running on Ubuntu 12.04 (in Leaseweb)which has php 5.3.10 installed, quite old version but has no known security vulnerabilities. (Other secure 5.3 versions are 5.3.3 and 5.3.2).
Total 25,94% of php servers are running secure php version...
When running widely know software like for example Drupal(not me) are your website safe? Here is an interesting article. The most interesting part is that "Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."
Now to check if your install has the patch. Article continues: "If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site." Oh boy!
Maybe is better use more unknown platforms.
Comment