On Tue, 5 Mar 2002, at 4:30pm, Derek D. Martin wrote: > However, just this year: > > http://online.securityfocus.com/archive/1/258995 > http://online.securityfocus.com/archive/1/258662
I believe these two are the same issue, the one originally under discussion in this thread. > http://online.securityfocus.com/archive/1/255037 This is not a PHP-specific issue, but a widespread programmer brain damage issue. > http://online.securityfocus.com/archive/1/254846 This is an Apache configuration error, not a PHP problem. > http://online.securityfocus.com/archive/1/254005 Legit. > http://online.securityfocus.com/archive/1/250196 Somewhat legit. It can be argued that /tmp is a design flaw in Unix. I would be inclined to agree with said argument. However, using an OS feature known to be broken is not exactly a good call, either. > Some of these are considered fairly minor, in that the vulnerability is a > possible exposure of what may be considered sensitive info. And others appear to have been included simply because the string "PHP" appeared in the message. ;-) > There are also some earlier advisories which complain about the design of > PHP encouraging the development of insecure code. It seems that writing > secure PHP scripts is also very difficult, and there are quite number of > advisories for software written in PHP, which are not necessarily the > fault of PHP, but perhaps encouraged by the design of PHP. Okay, with all due respect, that is pure FUD. Yes, FUD -- Fear, Uncertainty, and Doubt. "There isn't really anything wrong here, but if you use it, you will be burned, just because." You can make the same argument for Unix, C, Perl Java, the Internet, computers in general... > You have to worry about security problems in the software written using > PHP, as well as those of PHP itself. Again: This is true for *anything*. > For example, Perl has zero reported vulnerabilities over the same period > of time, and only one report of a vulnerability in software written in it > (a file disclosure bug caused by bad input validation). Whoa! Were you not around a few years ago, when finding holes in popular Perl CGI scripts was practically a daily occurrence? > I stand by what I said: if you're using PHP, it is my opinion that you're > better off from a security standpoint using something else. I think the problem you are seeing is that your average web designer cannot code worth a damn. They think the system should be "chmod -R 777 /" because everything else is too hard to understand. They think a system is secure as long as they have purchased a certificate from VeriSign (actually using SSL is optional). Really advanced web designers might think Telnet is a really cool idea. They simply don't *get* security, usually because they simply haven't had the training [1]. Blaming that on PHP is very poor form. Footnotes --------- [1] Yes, I've over-generalizing. Not all web designers are security illiterate. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
