|
|
BugTraq
PHP security (or the lack thereof) Jun 16 2006 11:21AM Darren Reed (avalon caligula anu edu au) (4 replies) Re: PHP security (or the lack thereof) Jun 22 2006 12:15PM john mullee (jmullee yahoo com) (1 replies) Re: PHP security (or the lack thereof) Jun 24 2006 10:42PM Darren Reed (avalon caligula anu edu au) (2 replies) Re: PHP security (or the lack thereof) Jun 27 2006 05:47AM Tonnerre Lombard (tonnerre lombard sygroup ch) (1 replies) Re: PHP security (or the lack thereof) Jun 27 2006 03:38AM Ronald Chmara (ron Opus1 COM) (1 replies) Re: PHP security (or the lack thereof) Jul 05 2006 04:17PM Dan Falconer (dan avsupport com) (1 replies) Re: PHP security (or the lack thereof) Jun 19 2006 05:07PM Neil Neely (neil frii com) (1 replies) RE: [lists] Re: PHP security (or the lack thereof) Jul 16 2006 11:26PM Curt Purdy (purdy tecman com) Re: PHP security (or the lack thereof) Jun 16 2006 11:06PM Bojan Zdrnja (bojan zdrnja gmail com) (1 replies) Re: PHP security (or the lack thereof) Jun 17 2006 05:08PM Jessica Hope (jessicasaulhope googlemail com) |
|
Privacy Statement |
> From my own mail archives, PHP appears to make up at least 4% of the
> email to bugtraq I see - or over 1000 issues since 1995, out of the
> 25,000 I have saved.
> People complain about applications like sendmail...in the same period,
> it has been resopnsible for less than 200.
this is an unfair comparison, i think, and you're not the first to make
such an argument. PHP is a language, one that lends itself to insecure
paradigms and practices. but, so does C and it's built in string handling
functions, and that's a similar source of security bugs over the years.
Perl, in the wrong CGI programming hands, has caused a similar quantity of
issues.
how many of those issues you are referring to are core PHP issues? looking
through the stats provided by secunia for PHP 4 - PHP 5 i count up :
version advisories listed by secunia
------- ----------------------------
PHP 5.1.x 7
http://secunia.com/product/6796/
PHP 5.0.x 13
http://secunia.com/product/3919/
PHP 4.4.x 9
http://secunia.com/product/5768/
PHP 4.3.x 20
http://secunia.com/product/922/
PHP 4.0.x 7
http://secunia.com/product/1655/
so that's a total of 56 PHP core issues from PHP 4.0 onwards. unless PHP
3.x and prior had over 944 such advisories in that time period (1995 til
present, your timeframe), i suspect you just did something akin to:
grep -i ^subject:.*php .*$ bugtraq.mbox
and looked at the results. hardly reflective of core PHP issues, given the
wide number of PHP applications that have had bugtraq posts written about
them.
my point is simple: if you're going to pick on something, compare apples
to apples and not and oranges. if you pick on this huge flood of PHP apps
that have had security holes, then pick on C for a similar numbers of bugs
over the years. pick on Perl and the number of poorly written CGI scripts
that have had security bulletins over the years. i'm sure a few more
languages could easily be added to that list.
bear in mind i'm no PHP (or Perl, or C) bigot. but really, if you're going
to complain about PHP, at least make your argument on reasonable grounds.
________
jose nazario, ph.d. jose (at) monkey (dot) org [email concealed]
http://monkey.org/~jose/ http://monkey.org/~jose/secnews.html
http://www.wormblog.com/
[ reply ]