Someone guessed the password for this bug and posted a bunch of crap above. The comment above this one isn't mine. I have generated a random password for this bug so please disregard the clowns above. Thanks.

I've deleted the comments.

This is why dropping old versions from package managers is stupid.

I don't want them to maintain old versions. Just don't remove the old versions from package managers.

If I want to install old software that's my right and my risk to take. That's not up to you to decide. The vast majority of code written for 5.x could never be exploited anyway.

This is the height of nerd arrogance. Don't patronize me assholes. I'll figure out the risk for myself. If I feel like running php 4.0 on Slackware 3.1 I'll do it and that's none of your business.

I'm not angry just have zero patience for arrogance, ignorance, and stupidity. The OP of this thread hasn't been exploited or hacked. Most PHP out there is still running 5.x.

You are neither qualified nor smart enough to put together a single one of these hacks you claim we are vulnurable to. You're spreading fear and FUD.

Linux is designed for security. The server is not running as root and neither is the PHP process on the box.

This is like bitching about someone using Windows 95 to play Doom. Yea they could be hacked but nothing of value would be lost and you're still just an asshole.

I can tell you're less experienced cause you think packagist stats are accurate. Not everyone uses composer. And it's based on the CLI version at run time which is skewed towards CI docker images and workstations.

Priv escalation is something you will never pull off in your entire career so I don't know why you bring it up. Maaaaaybe a well placed gd exploiting jpeg with a buffer overflow. Anyway it's stupid to even think about.

My code needed very little change from 5.6 to 7 so good luck with that.

Here's my blog's source code. Have fun hacking it.

https://github.com/hparadiz/technexus

While you're at it bring me a beer. I'll wait.

Maybe cause there's literally millions of sites out there running 5.x that aren't being hacked left and right? Not all things need fort knox built around them.

I'm routinely amazed at the lack of faith engineers in this subreddit have in the collective security structure of systems like Linux. Exploits are rare and usually involve esoteric PHP extensions and non-standard data manipulation techniques which most PHP code does not use.

I'm not trolling at all. I'm sure the code I wrote in 2014 would be fine on the open internet running 5.6.

To be honest I've never been hacked in my career and I've worked on some pretty high profile high traffic sites with some super janky code I've inherited. We're all connected to the internet on routers running old versions of Linux and it's fine.

https://w3techs.com/technologies/details/pl-php/all/all

You're the one cherry picking. If you were intellectually honest you'd look up stats from servers on the open internet which is a way bigger pool than composer installs.

The stupid. It burns.

Lol inb4 shared hosts running multiple versions of PHP.

Literally my point. Lol. Thanks for making it.

This is a general mysqlnd issue, which selects the authentication
plugin to use from what the server asks for, but does not allow to
explicitly specify the authentication plugin, even though a
cleartext_plugin is built-in, but apparently this can only be used
for PAM authentication.