The growth of PHP-based content management systems is a testimony to the success of the open source movement, which has created a lengthy list of powerful, user-friendly applications that can be installed by web site operators with little or no PHP coding experience. Active support communities for these projects offer templates and mods for easy customization, and mobilize to deploy fixes for security holes.
But as is the case with most web software, a significant number of users fail to install security patches in a timely fashion. This provides an opportunity for hackers, who typically use public advisories to identify security flaws in specific programs and files, and then query search engines to locate vulnerable versions of the software.
Some programs with consistent security problems continue to grow in popularity. The open source bulletin board system phpBB has experienced a series of security problems, and has been banned by some web hosts. The MSN search engine recently began returning no results for the search term “phpBB” to deter hacker scans. That hasn’t prevented a 79 percent increase in active sites using phpBB between June and December of 2005, according to data from our Web Server Survey and related datasets.
Most of the security issues with PHP-driven programs are found not in PHP itself, but rather in the libraries and applications built atop the server-side scripting language. The most widespread of these, a flaw in XML-RPC libraries identified in July, affected a lengthy list of popular programs including WordPress, Drupal, PostNuke, Serendipity, phpAdsNew and phpWiki. More than four months later, hackers were actively targeting the flaw.