On Mon, Nov 04, 2002 at 09:06:43AM +0000, Lusercop wrote: > I wouldn't say that using suidperl is safe, but using perl as a whole, > invoked by root, is not a bad thing. PHP has had remote attacks against > it: > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mod_php > > Though I thought that there had been more than just that one. A remote
Perhaps you're thinking of Apache which has had plenty of remote roots... > What this boils down to, is that > a) I don't believe that scalable and maintainable sites can be easily > written in PHP Scalable how? It's certainly capable of serving millions of hits a day. The article on amihotornot's creation is worth a read, and that's a LAMPHP site, http://www.webtechniques.com/archives/2001/05/hong/ > b) I don't believe that the general coding standard in the PHP binaries > is as high as is necessary to survive on the modern Internet Well this is patently empirically shown to be false, since there are millions of installed PHP systems quite happily surviving (specifically, staying up and not causing the administrator to unload PHP in horror at the onslaught of attacks). Although my comment about Apache was sarcastic it does seem odd that people level these criticisms against Language X and yet the webserver they *require* is apparently much more prone and dangerous, based on the sheer number of serious vulnerabilities, let alone actual live exploits, against it. Someone I think Roger said (as I read it) there were lots of exploits against PHP, but there too a lack of citation somewhat undermines that stance. I've been running nessus in dangerous mode against my servers for quite some time and more recently ISS and it's never found a problem with PHP. I'm not trying to persuade you to run PHP nor to be honest particularly advocating it (I'm a mod_perl/TT sort of person after all!) but rather that these kinds of broad statements really need to be thorough & backed up with facts and citations. If the open source community is going to criticize the commercial world (namely, MS for the most part) for sloppiness and FUD then they need to keep their nose very clean, IMO. Paul -- Paul Makepeace ....................................... http://paulm.com/ "What is an airplane? It can only be street-cleaning." -- http://paulm.com/toys/surrealism/
