On Mon, Nov 04, 2002 at 01:05:28AM +0000, Dave Wilson wrote:
> As a result of this, we now have a steady stream of security
> vulnerabilities published on major security mailling lists daily
> about insecure PHP packages (I think this is how the discussion
> started?).
This is true.
> The actual PHP codebase itself has only had a few insecurities -- I
> haven't looked at the figures, but at a guess I'd say less than the
> likes of suidperl (which has been around for quite a long time I must
> admit, but I'm trying to make PHP look good here).
I wouldn't say that using suidperl is safe, but using perl as a whole,
invoked by root, is not a bad thing. PHP has had remote attacks against
it:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mod_php
Though I thought that there had been more than just that one. A remote
arbitrary code execution vulnerability is considerably more dangerous
than a local privilege escalation, in general.
What this boils down to, is that
a) I don't believe that scalable and maintainable sites can be easily
written in PHP
b) I don't believe that the general coding standard in the PHP binaries
is as high as is necessary to survive on the modern Internet
Therefore I'm not likely to run it anytime soon.
YM will almost certainly V
--
Lusercop.net - LARTing Lusers everywhere since 2002
