Geo. wrote:
> ...
>> "The configuration flexibility of PHP is equally rivalled by the code
>> flexibility. PHP can be used to build complete server applications,
>> with all the power of a shell user, or it can be used for simple
>> server-side includes with little risk in a tightly controlled
>> environment. How you build that environment, and how secure it is, is
>> largely up to the PHP developer."
>
> And is the default install wide open or tightly controlled? I mean from a
> security standpoint we have been screaming for years at Microsoft to change
> their defaults to firewall on and things locked instead of open.
>
> Is php secure by default when it's installed on a server?
>
That's a rather odd question. Microsoft has been (rightly) criticized
for providing server *applications* that are insecurely configured (as
you point out), but php is not an application. Php is a language, so
until a program or script is written and accessible from the server, it
does nothing. Php, by itself, is not accessible externally because it's
not running a daemon that opens a port.

Register_globals is set to off by default, so I suppose in that sense
you can say it's "secure" by default, but it's really a inert object
until someone does something with it.

Any language can be misused to create insecure software. The more
powerful the language, the less difficult it is to create security holes
(or perhaps the more obvious the holes really are.) But until an
attacker has an open port to attack (unless they're sitting at the
console), everything on a server is "secure". (Of course the server is
also useless, but that's beside the point.)

--
Paul Schmehl (pauls (at) utdallas (dot) edu [email concealed])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?Ê0?Ø0?A 
­?´??t?ä?ìì"0
 *?H?÷


0Á10 UUS10U
VeriSign, Inc.1<0:U3Class 2 Public Primary Certification Authority - G21:08U1(c) 1998 VeriSign, Inc. - For authorized use only10UVeriSign Trust Network0
990331000000Z
070114235959Z0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0?0
 *?H?÷



0?¿êï?ë
Áù"ÁÑÁÌÛzÚ¾6Òp`0`åàS/5ôɨ)ÖÞ=ó?d}¾Ñ?Tx?ÿ¢xñû?«Ãü?LÂIA
áÀÒ¥×ü~ÿBQNtó
Õhs¥]1øæ)%c¨#?Dj?°9ñïÛFXú¸ÏKózÁ¢I??#Cº?2?

£¥0¢0
)U"0 ¤010UPrivateLabel1-1400 `?H
?øB


0DU =0;09`?H
?øE


0*0(+

https://www.verisign.com/RPA0U
0

ÿ
0U
0
 *?H?÷


½?Ö/6?ýêN,GÎ`?Äjq ?¯1H
ü¯$è?TA??pói?ÇJ°Eþe!Ò<±J:J2PÚ#Ú¨l?(LÙ
B§?Jÿ«½X?Nü¢ØX¿í£L5?$UáìSè¦y¡y|C¦·có¾G{©ÖH?®MÐ?10?s0?Ü 
!Cl6²V³h­?pú0
 *?H?÷


0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
050810000000Z
060810235959Z0ô1'0%U
The University of Texas System1-0+U$The University of Texas at Dallas CA1F0DU=www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910UMail Stop - UTD10UPaul Schmehl1!0 *?H?÷


pauls (at) utdallas (dot) edu0 [email concealed]?0
 *?H?÷



0?Ä¡æ?9"S,/èâD¸'ɺLsÚXï3a»
?ÂÀ?+±ga,Ó?P$ñX^ù$ã?¡X?'ÈlÖ?úVç^ÚÅ?ÆÅïPN²3Jyfy­(ÅK®ûRTØ????P&8 ½z
¥Æ«¸??=ùÃu[§Þî?X®}ìS)$-|öI

£?0?0 U00U0pauls (at) utdallas (dot) edu0 [email concealed]?
$U ?
0?
0?
`?H
?øE

0?
0++

https://www.verisign.com/rpa-
kr0Ò+
0ÅÂNOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0 `?H
?øB

?0uUn0l0j h f?dhttp://onsitecrl.verisign.com/TheUnive
rsityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0U
?0U%0+
+
0
 *?H?÷


AØ: ³+Æü6?'â*Q?
VËD"??mÂrJ´
_û$P?o:¼LP?È*$ªøÉUÄ¿f?É´ï՝?±ýºçY2ÝB6óÁ×ÎNøßÜÛ¾i?̶f:Ü
Ó?¡×ö÷S??ìÅa1ÌÑB{S~?q¡hUN©?l0?s0?Ü 
?3áw6 lmd)!K??0
 *?H?÷


0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
050810000000Z
060810235959Z0ô1'0%U
The University of Texas System1-0+U$The University of Texas at Dallas CA1F0DU=www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910UMail Stop - UTD10UPaul Schmehl1!0 *?H?÷


pauls (at) utdallas (dot) edu0 [email concealed]?0
 *?H?÷



0?ÞL9m§J¢b°°2?àÏ´¯vk:?'ãBÌ|Òaȶv
6¶Mg½??K¿e~âäyêdâ·ßè
¼_ÒP'íûe¦¦»[<«ªwÀÚ?æhä$yÔc=?GîÕKo?97ZYõ?2ÿ²Ò_Gú©4Ú?- é,­


£?0?0 U00U0pauls (at) utdallas (dot) edu0 [email concealed]?
$U ?
0?
0?
`?H
?øE

0?
0++

https://www.verisign.com/rpa-
kr0Ò+
0ÅÂNOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0 `?H
?øB

?0uUn0l0j h f?dhttp://onsitecrl.verisign.com/TheUnive
rsityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0U
 0U%0+
+
0
 *?H?÷


+·4ï~ü,Áa W?.àLvQècp¹qk??|³¨??ÚÛi?ó18Ø?£^Ð7#~´¬ Ò§ò¸ҡ-OuOý-Å7vàú(?7pn®gÔ]çÕ£Û éÐù"«¦(Hô÷?¦­A½lDÙo õý=¶äw&7àT?ú£ Á1??0??

0ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA!Cl6²V³h­?pú0 + ?Ý0 *?H?÷

1 *?H?÷


0 *?H?÷

1
060626174517Z0# *?H?÷

1??6Ü#???±?ï?Ê\Æ?0R *?H?÷

1E0C0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0?
 +

?71?
0ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA?3áw6 lmd)!K??0?
*?H?÷

1?
 ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA?3áw6 lmd)!K??0
 *?H?÷



?Nò7¸{øV?ú0?J´ TÙDaÀý?q?^ö??qyøi¾?ç25A!3$&=?ND­?Jû<ÿ׳??DÒcO$$q?}3¨M?o_`A"É?Ð}
>úPVÙ,ÆgFöÈU·è?eP=6¦?Q1«(5?j¦ÿ³!§Äz

[ reply ]