On Mon, Nov 04, 2002 at 09:06:43AM +0000, Lusercop wrote: > > As a result of this, we now have a steady stream of security > > vulnerabilities published on major security mailling lists daily > > about insecure PHP packages (I think this is how the discussion > > started?).
> This is true. I'm gratified by your blessing. > > The actual PHP codebase itself has only had a few insecurities -- I > > haven't looked at the figures, but at a guess I'd say less than the > > likes of suidperl (which has been around for quite a long time I must > > admit, but I'm trying to make PHP look good here). > I wouldn't say that using suidperl is safe, but using perl as a whole, > invoked by root, is not a bad thing. PHP has had remote attacks against > it: So, a uid 0 script is fine, as long as it wasn't started suid? heh. > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mod_php > Though I thought that there had been more than just that one. A remote > arbitrary code execution vulnerability is considerably more dangerous > than a local privilege escalation, in general. As far as actual holes are concerned (and I'm rather drunk right now, yes, at this time of the morning), I think there have only been two (2) in PHP 4. PHP 3 is not PHP. It's shit. :) > What this boils down to, is that > a) I don't believe that scalable and maintainable sites can be easily > written in PHP I addressed this. It is because you suck, not the language. I thought people liked perl because of it's flexibility. And define scalability. mod_perl vs. mod_php are both equally as scaleable, ie. they rely on the Apache host. I could even argue PHP is more scaleable due its ability to run on top of shitloads of APIs. So, when your site breaks the 2 hits/sec threshold, and you need a scaleable web server and Apache is not it, a FastCGI or ISAPI-capable host might be. > b) I don't believe that the general coding standard in the PHP binaries > is as high as is necessary to survive on the modern Internet And you've read them, as well as perl. I'm impressed -- how old are you? As someone who's debugged, modified, and written extensions for PHP, I'd say it's one of the nicer programs around to work on. Fundamental vulnerabilities are not uncommon -- in fact, you're guaranteed at least one fuckup a month these days. PHP's POST handling vulnerability was such a thing. This doesn't mean you loose all confidence in it. > Therefore I'm not likely to run it anytime soon. If I were in charge of a production PHP environment (thanks to the N. Ireland I.T. industry, I'm not), it wouldn't be running facing the Internet directly. Then again, neither would mod_perl or any other large program with bits I hadn't explored. At this point, I'd like to declare the classic "security is a myth" followed by "end of thread", before this develops into a PHP vs. Perl, which I c.b.a. with. Dave.
