PHP vulnerability allows attackers to run malicious code on Windows servers
- Thread starter JournalBot
- Start date
To the people running dated php version because of an obscure WordPress plugin that helps them do everything for their business from their site.
You knew this day was coming.
You knew this day was coming.
Upvote
90
(105
/
-15)
They never had a chance if they were running an obscure WordPress plugin to begin with.
Upvote
95
(96
/
-1)
Yeah, I've fired clients who wouldn't stop doing that stuff. I just don't need to deal with that sort of crap. Sadly, not everyone's able to do opt out in such a manner.
Upvote
59
(61
/
-2)
On Windows no less!They never had a chance if they were running an obscure WordPress plugin to begin with.
Upvote
66
(69
/
-3)
PHP vuln..oh shit...OOOOhhhh.. only on Windows? Nevermind. and it needs CGI mode. Who runs PHP like that?
Upvote
153
(153
/
0)
99% of web servers using PHP are running linux, so "oh no...anyway."
Most people running Windows web servers are doing it for .NET and not using PHP.
Most people running Windows web servers are doing it for .NET and not using PHP.
Upvote
100
(102
/
-2)
srt8driver
Smack-Fu Master, in training
Yea my heart skipped a beat reading the headline right before 5pm on Friday; then I relaxed because what professional actually runs PHP server on a windows box? I might just do the rewrite rule anyway since it won't impact our systems & will cut down on the script kiddies hitting the servers this weekend.
Upvote
96
(98
/
-2)
It's a dumb comment, and outdated (modern PHP is not that bad, Python has developed some pretty bad warts too), but I'll upvote for trying oh so hard to make a recursive acronym joke.
Upvote
48
(51
/
-3)
srt8driver
Smack-Fu Master, in training
The whole PHP is dead thing, is a conspiracy by seasoned developers to keep the new kids out of the hiring pool. Modern PHP is pretty good, but developer pay for updating old PHP to modern is even better! (That's why we try to keep it a secret!) /s
Upvote
60
(68
/
-8)
Wow, haven't heard of CGI in a seriously long time. I didn't think anyone still used it. In case anyone wondering, CGI in this context means Common Gateway Interface.
Upvote
30
(35
/
-5)
Not JUST PHP on Windows, but PHP and Apache on Windows! Is phpfm even ON windows?
Upvote
34
(34
/
0)
It's still there just under layers of abstraction. It just works... Until it doesn't and then no one knows what to look for.
Upvote
32
(32
/
0)
Upvote
12
(12
/
0)
Cautiously raises hand...
I have a public facing box at work in that boat. PHP 5.6 in CGI mode on an ancient XAMPP install on server 2019 handling data automation and vendor access APIs.
Has anyone tested if this can impact a server with a US English locale setting? Does the so-called "best fit" translation of unicode that's affected and causes this vulnerability still occur if such characters are submitted to a server running in English?
Upvote
40
(41
/
-1)
Upvote
16
(17
/
-1)
This comes up in every discussion about PHP. And it’s true, but a language needs more compelling reasons to use it besides “is not crap anymore” when there are other options to choose from with some real strengths.
Upvote
-8
(28
/
-36)
One strength: You can build an app or API without bringing in a heavy framework or100 layers of nested packages including left-pad. The built-in PHP and standard includes support SQL databases, network calls, string manipulation, file operations, etc.
Upvote
73
(77
/
-4)
Obscure? WordPress itself isn't yet fully compatible with any actively-supported versions of PHP.
Upvote
-6
(8
/
-14)
Wordpress 6.5 (released in April) seems to be compatible with no exceptions.
Upvote
26
(26
/
0)
This has me worrying about that Perl CGI script I rigged for controlling some game servers again.
Upvote
2
(4
/
-2)
Upvote
-14
(13
/
-27)
sigmasirrus
Ars Scholae Palatinae
Wait what? I haven’t done anything with PHP in years, but this can’t be true, is it?
Upvote
10
(10
/
0)
Nothing wrong with CGI. I use it for my website, which is all bash, perl and CGI. It can scale to dozens of users a week.
Upvote
70
(71
/
-1)
It can happen. WordPress is one of the oldest PHP code bases which is still maintained, and a pretty large one. It has doubtless used a lot of (mis)features over the years which have been deprecated and/or removed. Combine that with PHP versions being supported no more than two years, and you can eventually fall behind if you don't plan carefully.
Upvote
20
(20
/
0)
I went from running PHP 5.x on centos 7, to spending hours and days to getting it up to ... 7.1 with a real struggle. On an old apache version.
To running in containers and now rocking the most recent 8.3.7 on nginx like its nothing.
Containers are the way to go. Can't say enough about it. Changed my life.
To running in containers and now rocking the most recent 8.3.7 on nginx like its nothing.
Containers are the way to go. Can't say enough about it. Changed my life.
Upvote
22
(23
/
-1)
PHP has benefitted for years (decades by now, really) from its deployment story being "index.php already works". It was really easy for it to win when the competing deployment stories were things like "first, make sure Perl and CPAN are up to date; you'll also need gcc for compiling mod_perl" and "the Tomcat servlet model is a land of contrasts".
The closest competitor would be a mod_python that was similarly "index.py already works", because Python's batteries-included ethos means you can get a long, long way before you need to even think about package managers.
Upvote
33
(33
/
0)
I've been running PHP 8.2.x on Centos 7, with a recent version of nginx without any trouble at all. Migrating to a more recent OS now. Containers are nice though.
Upvote
13
(13
/
0)
"new" isn't new anymore in the computer business, it's become a fracking sort of business imo, environmentally damaging and draining all remaining money out of the social main body. Attempting to shove "new" down the paying customer's throat with force. "Late stage capitalism". /rant
Upvote
-17
(3
/
-20)
Yeah, no kidding, I just sent a ping to the work slack about it, then realised oh, it's probably not a huge deal for us after all, because who hosts PHP on a public-facing server running Windows?
Upvote
6
(8
/
-2)
Upvote
13
(13
/
0)
Actively supported PHP versions are 8.2 and 8.3. WordPress lists version 6.5 as having "beta support" for 8.2 and 8.3.
Your best bet here, if you have to run WordPress, is to run an LTS version of Linux, where the OS supplier is providing security fixes to an older copy of PHP.
Upvote
23
(23
/
0)
At work we’re running enterprise WordPress sites on all supported PHP versions and the limiting factors are the plugins used, the popular ones will at least support 8.1. Anyone talking otherwise haven’t dug into the extreme edge cases that underlay the conservative beta labelling by the community.
If your opinions on PHP and WordPress are older than the block editor or the maintained versions, give it another go?
Checking actual compatibility using CodeSniffer and Compatibility Checker can be started in less time than a comment on your favorite website.
If you have your own vps and run WP personally start by taking away write permissions apart from the uploads directory and run a cron job using WP-cli every night upgrading all the plugins, themes and the platform, and use the recommendations of the site health tool that comes with it.
If your opinions on PHP and WordPress are older than the block editor or the maintained versions, give it another go?
Checking actual compatibility using CodeSniffer and Compatibility Checker can be started in less time than a comment on your favorite website.
If you have your own vps and run WP personally start by taking away write permissions apart from the uploads directory and run a cron job using WP-cli every night upgrading all the plugins, themes and the platform, and use the recommendations of the site health tool that comes with it.
Upvote
10
(10
/
0)
That's annoying. I consulted the 'Server Environment' documentation which made no mention of exceptions for 6.5, while mentioning exceptions for all earlier versions. The release announcement makes no mention, either. Presumably the table is correct, but there's clearly some room for doubt.
Upvote
5
(5
/
0)