April 19th, 2020 at 3:49 AM
We hear about an awful lot of websites being hacked with debit cards and social security numbers being released. I don't doubt it.
Worse, Ubuntu doesn't even update their core PHP versions in old LTS releases (read: 16.04) that are still supported, and leaves unsupported PHP versions in the official repositories. I had to find a PPA just to get a supported PHP release that was still getting security updates. We're using Ubuntu 16.04 to host MS. It's supposed to be supported until April 2021. (I would upgrade it, but upgrading Ubuntu means hours of downtime and a whole host of bugs and issues. The PPA was easier.
)
MySQL and PHP both have ridiculous defaults. There is absolutely no reason for PHP to have CGI.pathauto (or whatever it's called) enabled by default. But it is. All it would take is a web master with a large website forgetting to fix that on one single server to potentially compromise their entire website.
It's a lot to remember. For better or for worse, every single website on the internet is vulnerable, whether the vulnerabilities are known or not. They say security through obscurity is not sufficient, and it honestly isn't. But neither is assuming taht no known vulnerabilities means total security. You need a little of both, because eventually, somebody will discover something.
Worse, Ubuntu doesn't even update their core PHP versions in old LTS releases (read: 16.04) that are still supported, and leaves unsupported PHP versions in the official repositories. I had to find a PPA just to get a supported PHP release that was still getting security updates. We're using Ubuntu 16.04 to host MS. It's supposed to be supported until April 2021. (I would upgrade it, but upgrading Ubuntu means hours of downtime and a whole host of bugs and issues. The PPA was easier.
)MySQL and PHP both have ridiculous defaults. There is absolutely no reason for PHP to have CGI.pathauto (or whatever it's called) enabled by default. But it is. All it would take is a web master with a large website forgetting to fix that on one single server to potentially compromise their entire website.
It's a lot to remember. For better or for worse, every single website on the internet is vulnerable, whether the vulnerabilities are known or not. They say security through obscurity is not sufficient, and it honestly isn't. But neither is assuming taht no known vulnerabilities means total security. You need a little of both, because eventually, somebody will discover something.
