Você sabia que quase 80% de todos os sites executados em PHP? Mais particularmente, “PHP é usado por 78.9% de todos os sites cuja linguagem de programação do servidor conhecemos”, conforme revelado pelas estatísticas do W3Techs. Somente esse fato faz da segurança do PHP um assunto muito crucial, e quando você adiciona o fato de que o suporte ao PHP 5.6.x termina no final deste ano, a questão da segurança se torna crítica.
Suporte ao PHP 5.6.x até o final de dezembro 31, 2018
Em outras palavras, depois de dezembro 31, 2018, milhões de sites deixarão de receber atualizações de segurança para seus servidores, e, portanto, o ecossistema PHP será exposto a uma variedade de perigos de segurança. O histórico mostra que os invasores não levarão muito tempo para localizar uma falha de segurança no PHP e explorá-la contra sites vulneráveis, pesquisadores geralmente alertam.
De acordo com Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, it is highly likely that “any major, mass-exploitable flaw in PHP 5.6 would also affect the newer versions of PHP”.
It should be noted that PHP 7.2 will get a patch from the PHP team, de graça, in a timely manner. As for PHP 5.6, it will only get one if paid support from the OS vendor is at place.
“Euf anyone finds themselves running PHP 5 after the end of the year, ask yourself: Do you feel lucky? Because I sure wouldn’t,” Arciszewski adicionado in a conversation with ZDNet.
Security researchers have been referring to this as a “ticking PHP time bomb”, and they have the absolute right to do so. Interested parties have been aware of this time limit for quite some time. Since PHP 5.6 was considered the most deployed version of PHP in 2017, PHP maintainers extended the EOL date to December 31, 2018.
Em geral, PHP support cycles go like this:
Each release branch of PHP is fully supported for two years from its initial stable release. During this period, bugs and security issues that have been reported are fixed and are released in regular point releases. After this two year period of active support, each branch is then supported for an additional year for critical security issues only. Releases during this period are made on an as-needed basis: there may be multiple point releases, or none, depending on the number of reports. Once the three years of support are completed, the branch reaches its end of life and is no longer supported.
Support for PHP 5.6, em particular, has been extended: active support will run for an additional four months, and the security fix period has been doubled from one to two years.
Where Do WordPress, Drupal and Joomla Stand in the PHP Matter?
Infelizmente, there hasn’t been a widely coordinated attempt to implement newer versions in a timely manner. But there are indeed CMS platforms that are working on delivering the minimum security requirements. Drupal has officially stated that it is going to change its minimum requirements to PHP 7:
Drupal 8 will require PHP 7 starting March 6, 2019. Drupal 8 users who are running Drupal 8 on PHP 5.5 or PHP 5.6 should begin planning to upgrade their PHP version to 7.0 ou mais alto (PHP 7.1+ é recomendado). Drupal 8.6 will be the final Drupal 8 version to support PHP 5, and will reach end-of-life on March 6, 2019, when Drupal 8.7.0 é libertado.
WordPress has also changed its recommendation, and now PHP version 7.2 or greater is recommended to be met. Contudo, if you are in a legacy environment where you only have older PHP or MySQL versions, WordPress also works with PHP 5.2.4+ and MySQL 5.0+. These versions, Apesar, have reached their official End Of Life dates and hence may expose your site to security vulnerabilities, WordPress warns.
Joomla’s minimum requirement is PHP 5.3.10.
Curiosamente, Arciszewski feels that “the biggest source of inertia in the PHP ecosystem regarding versions is undoubtedly WordPress, which still refuses to drop support for PHP 5.2 because there are more than zero systems in the universe that still run WordPress on an ancient, unsupported version of PHP.”