|
|
BugTraq
PHP security (or the lack thereof) Jun 16 2006 11:21AM Darren Reed (avalon caligula anu edu au) (4 replies) Re: PHP security (or the lack thereof) Jun 22 2006 12:15PM john mullee (jmullee yahoo com) (1 replies) Re: PHP security (or the lack thereof) Jun 24 2006 10:42PM Darren Reed (avalon caligula anu edu au) (2 replies) Re: PHP security (or the lack thereof) Jun 27 2006 05:47AM Tonnerre Lombard (tonnerre lombard sygroup ch) (1 replies) Re: PHP security (or the lack thereof) Jun 27 2006 03:38AM Ronald Chmara (ron Opus1 COM) (1 replies) Re: PHP security (or the lack thereof) Jul 05 2006 04:17PM Dan Falconer (dan avsupport com) (1 replies) Re: PHP security (or the lack thereof) Jun 19 2006 05:07PM Neil Neely (neil frii com) (1 replies) RE: [lists] Re: PHP security (or the lack thereof) Jul 16 2006 11:26PM Curt Purdy (purdy tecman com) Re: PHP security (or the lack thereof) Jun 17 2006 01:50AM Jose Nazario (jose monkey org) (1 replies) Re: PHP security (or the lack thereof) Jun 17 2006 06:06PM Geo. (geoincidents nls net) (2 replies) Re: PHP security (or the lack thereof) Jun 20 2006 04:54AM kicktd (cooljay1804ml bellsouth net) (1 replies) Re: PHP security (or the lack thereof) Jun 16 2006 11:06PM Bojan Zdrnja (bojan zdrnja gmail com) (1 replies) |
|
Privacy Statement |
can recall, it has had only two major vulns. I would say "the winner"
would be something like phpNUKE (to put my point, phpNUKE has had 31
vulns from 2003 to present day of which most are unpatched, where as
phpBB has had 32 in the same range, but *all* are patched, and most
are due to IE parsing some of the most invalid HTML to allow XSS.
(about 11 of the 32 are pure XSS due to IE).
You're quite right that the comparison of PHP to sendmail is
apples/oranges. However, when you have a language which "anyone" can
use, you're going to get a huge number of people who use it
incorrectly with the results as you see here. This will only increase,
as more and more hosts have PHP enabled, and PHP becomes easier to
install.
That's not to say the PHP group have not been working on the issue;
their recent meeting about PHP6 saw the dropping of things like magic
quotes, open basedir, and talks about including code to allow fopen to
access remote URL's, but making it a separate option which is disabled
by default that controls the use of URL's in include() and the like.
Talks about sandboxing have also been done, however it was decided
that there's no decent secure way to sandbox a PHP application at
present.
Jessica
On 6/17/06, Bojan Zdrnja <bojan.zdrnja (at) gmail (dot) com [email concealed]> wrote:
> On 6/16/06, Darren Reed <avalon (at) caligula.anu.edu (dot) au [email concealed]> wrote:
> >
> > From my own mail archives, PHP appears to make up at least 4%
> > of the email to bugtraq I see - or over 1000 issues since 1995,
> > out of the 25,000 I have saved.
> >
> > People complain about applications like sendmail...in the same
> > period, it has been resopnsible for less than 200.
> >
> > Do we have a new contender for worst security offender ever
> > written ?
>
> Well, PHP is a programming language and Sendmail is an application -
> I'd say you are comparing apples and oranges here.
>
> If you really want to compare applications, take phpBB for example
> (which is the winner in this case), but I don't think it makes much
> sense looking for a new contender for worst security offender ever
> written ...
>
> Bojan
>
[ reply ]