The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

The PHP App Insecurity Top 20


I’ve spent some of my down time in the past couple weeks working with the NIST NVD data to get stats on PHP application vulnerabilities.  What follows is a breakdown of the 20 PHP-based applications that had the highest aggregate vulnerability scores (NIST assigns a score from 1-10 for the severity of each entry), and the highest total number of vulnerabilities, over the past 12 months.  Of the two, I feel that the aggregate score is a better indicator of security issues.

A few caveats:

  • The data here covers the period between April 1 2006 and April 1 2007.
  • This obviously only includes reported vulnerabilities.  There are surely a lot more applications that are very insecure, but for one reason or another haven’t had as many reports.
  • I chose 20 as the cutoff mainly for the sake of making the data a little easier to swallow (and chart nicely). There are about 1,800 distinct apps in the NIST NVD that are (as far as I could determine) PHP-based.

Without further ado, here are the tepid Excel charts:

Nist NVD Data - April 1 2006 to April 1 2007 - PHP Apps by Score Count

Nist NVD Data - April 1 2006 to April 1 2007 - PHP Apps by Entry Count

A couple notes:

  • There are 25 entries in the top “20” by vulnerability count, due to matching vulnerability counts.
  • I’d never even heard of MyBulletinBoard, the top entry in both lists.  It hasn’t had any vulnerabilities in the NVD since September of 2006, which says something about how numerous and severe the entries between April and September 2006 were.  This appears to be the same product as “MyBB,” so perhaps the situation has improved, as MyBB only has one NVD entry in the entire period (CVE-2007-0544).
  • Wordpress has had a bad start to 2007, with numerous vulnerabilities that significantly increased its ranking.  March 2007 was particularly bad, with 7 new vulnerabilities reported.
  • Bulletin board/forum software is by far the most common type of application in the top 20.  A couple forum apps that have very low numbers of vulnerability reports: Vanilla and FUDForum.

I do intend to keep this data up-to-date if people find it interesting, so let me know if you’d like me to do so, or if you’d like to see other types of analysis.

[tags]php, security, application security, vulnerabilities, nist, nvd, statistics[/tags]



Posted by Ryan
on Thursday, April 19, 2007 at 02:43 AM

I think it would be far more interesting to merge this list with one for Perl, Python, Ruby, Java, and .net based applications as well. A broad sampling of applications from all those platforms would give a hint as to how difficult it is to code a secure web applications in each language.

Posted by Ed Finkler
on Thursday, April 19, 2007 at 05:12 AM

It might give a hint, but it could also be very misleading.  PHP is a unique case in terms of widespread popularity and shallow learning curve.  Doing “oranges to oranges” comparisons between a forum written in Perl and one done in PHP, and trying to extrapolate that to judge the security “potential” of the language itself, would be ignoring a huge number of significant variables.  Even the data I present here isn’t black and white, as there are a lot of issues that could contribute to higher or lower ratings.

Posted by GiGi
on Thursday, April 19, 2007 at 06:41 AM

So what can we do about it?

Not using those software or use something else, even Microsoft product does not save neither.

Can Firwall help a lot but how?

Leave a comment

Commenting is not available in this section entry.