TheCVE is a dictionary of vulnerabilities maintained by the MITRE Corp.A unique identifier is associated to security vulnerabilities found for reference.The database can be searched onNIST NVD (National Vulnerability Database) page.
One can query the database for keywords(e.g. PHP) and dates.It is a little bit crude:
there may be PHP-related vulnerabilities without the PHP keyword in them (say a bug in the PCRE library may affect PHP)
some vulnerabilities may have the keyword without being directly related to PHP (a description may contain a reference to a PHP web page).
a vulnerability report may indicate many vulnerabilities or they may be scattered into several reports.
However a quick check through the search results show that the returned vulnerabilities are indeed mostly related to PHP, so although the precision is not down to the unit, the overall picture seems sincere.
It returns the following figures:
Year PHP-relatedTotalRatio
*-200892743409527.2%
2009/Q1633170637.1% 20081962563434.8% 20072346651736.0% 20062840660343.0% 20051396492828.3% 2004490245020.0% 2003183151512.0% 2002240215611.1% 20018016774.7% 20002010171.9%
By selecting the networkaccess vector, one can also figure out that 7493 out of 7601 (98.5%) PHP-related vulnerabilities can be exploited remotely.
One can also play with thevulnerability category, although most vulnerabilities do not seem to be explicitely tagged:only 964 out of 7601 are tagged.Among these, 790 (81.9%) are directly or indirectly related to a lack input of sanitization (code/command/SQL injections, input validation, cross site scripting, path traversal).
Here are possible explanations for these facts, dealing with developers,hackers, and the PHP language:
PHP application devs do not make a good job at securing their code:they do not care, or they do not know how, or they try but fail.PHP is often a self-taught first and only programming language fornon professional devs, whose codes will stay online forever.Also, as PHP is easy and popular, more bugs are written with it.
PHP bugs may be intensely sought for because, when found, a flaw oftenallows to hack into many servers: a big reward for hackers, a huge pain forsystem admins hosting these applications.For instance, 127 vulnerabilities are listed in 2008 for theJoomla! CMS and its components.110 of which are given aHigh severity. According to the software website,100,000s instances are deployed worldwide...Other popular CMS also got significant vulnerabilities in 2008:Drupal 79,Wordpress 61.Every such vulnerability means checks, updates, tests for the sysadmins,or leaving the servers open to hackers.
The PHP language and its libraries are not immune to security issues,as any other software. However, as the codes are running online,consequences are dear. There are about 19 core-PHP vulnerabilities in 2008(CVE-2008-5498, 5557, 5658, 5625, 5624, 4107, 3660, 3659, 3658, 2829,2666, 2665, 2108, 2107, 2051, 2050, 1384, 0599, 0145), andThe PCRE library used by PHP also had 4 vulns in 2008 (CVE-2008-2436,2371, 1026, 0674).The PHP language itselft does not help developers: a taint mode which couldhelp prevent many issues by detecting bad programming has beenrejected several times.Earlier versions of PHP had default settings(e.g.register_globalsormagic_quotes)which made it very easy to write insecure code. These featuresare now off by default (since 4.2), marked as deprecated (5.3)and scheduled for removal (6.0).
The editor of this page isFabien Coelho.I'll try to update the figures cited here from time to time.Feel free to suggest other possible explanations.
