|
|
BugTraq
new linux malware Feb 18 2006 10:40PM Gadi Evron (ge linuxbox org) (2 replies) Re: new linux malware Feb 20 2006 04:57PM Christine Kronberg (Christine_Kronberg genua de) (1 replies) PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 20 2006 08:22PM Gadi Evron (ge linuxbox org) (2 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Dec 30 2006 10:00PM Kevin Waterson (kevin oceania net) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 05:53PM Bill Nash (billn billn net) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:00PM Tino Wildenhain (tino wildenhain de) (1 replies) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:31PM Jim Harrison (Jim isatools org) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 10:37PM Dana Hudes (dhudes hudes org) (1 replies) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 12:02AM Jim Harrison (Jim isatools org) (2 replies) Re: PHP as a secure language? PHP worms? Jan 02 2007 12:01PM Duncan Simpson (dps simpson demon co uk) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 10:58AM Darren Reed (avalon caligula anu edu au) (2 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 03:16PM Dana Hudes (dhudes hudes org) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:48PM Lawrence Paul MacIntyre (macintyrelp ornl gov) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 02:15PM Jim Harrison (Jim isatools org) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:37PM Darren Reed (avalon caligula anu edu au) (3 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 03 2007 05:16AM Ronald Chmara (ron Opus1 COM) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 04 2007 08:59PM Jim Manico (jim manico net) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 07:18PM Jim Harrison (Jim isatools org) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 22 2006 10:48AM Kevin Waterson (kevin oceania net) (2 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:13PM Matthew Schiros (schiros gmail com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:26PM L. Adrian Griffis (agriffis dstsystems com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:50PM Matthew Schiros (schiros gmail com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 04:21PM L. Adrian Griffis (agriffis dstsystems com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 05:55PM Matthew Schiros (schiros gmail com) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:07PM Jamie Riden (jamie riden gmail com) Re: new linux malware Feb 20 2006 04:24PM Marco Monicelli (marco monicelli marcegaglia com) (1 replies) |
|
Privacy Statement |
> The problem we have right now is that the language commonly used for
> dynamic web pages on non-Microsoft platforms is PHP and that this has
> not been engineered *for security*.
>
> The goal of a language such as PHP should be to make it possible
> to do what is required without the person using it needing to know
> anything about security or secure programming practices. Just as
> people using perl generally don't need to worry about buffer
> overflows, why should people using PHP need to worry about SQL
> escapes and filepath issues? They shouldn't.
The point Darren is driving home with a large hammer, isn't the
languages themselves, but how they are used, in combination with the
almost absent barrier-to-entry in deploying vulnerable platforms.
I think another major factor with regard to modern
vulnerabilities, is that many bounds checks and input validation are being
done with Javascript, or to be more specific, the untrustable client
device. This is the equivalent of loaning money to someone, and later
asking them to remind you how much they owe you because you forgot.
PHP, or Perl, or ASP, as popular engines, could all benefit from a
community driven set of validation routines applied either in the base
interpreters, or as an includable library to give the less clueful a leg
up. It's a very easy thing for me to take my custom platform and include
such a thing, it's not much farther to do the same for others.
Cherry pick the top ten root causes of your 100 favorite
vulnerabilities. Come up with standard routines that developers can use to
scrub their input, and release them for the most affected platforms. Get
with the distributors of those platforms and get them implemented into the
next versions. Rinse, lather, repeat. The problem here, of course, is
finding a group with the motivation, time, and resources to do so. Without
some intended course of action, this thread is just talk.
Also, if you're on vacation, which many of you are, a large
contingent of you have crappy auto-responders that don't recognize mailing
list membership. I hope Santa brought you coal.
- billn
[ reply ]