Neil Neely wrote:
For those of us that have to administer shared hosting
servers where customers can and do build/install very poorly
written web applications it can be a full time job trying to
protect your server.
Snip
At my the ISP I used to run, we used a chroot jail so that every
Would you prefer to use something that was designed to be secure
or something that had security applied to it as an afterthought?
As time goes by, if something is designed to be secure then the
number of bugs that impact security should diminish with time
because they are flaws in the
On Monday 26 June 2006 10:38 pm, Ronald Chmara wrote:
On Jun 24, 2006, at 3:42 PM, Darren Reed wrote:
In some mail from john mullee, sie said:
--- Darren Reed [EMAIL PROTECTED] wrote:
I guess most of the remaining offending apps were written in C: as
much as 96% ?!!
(including basically
This one time, at band camp, Geo. [EMAIL PROTECTED] wrote:
There are lots of web programs written in perl, asp, even cold fusion. But
when I watch the security lists I see exploit after exploit for web
applications and the vast majority of them have one thing in common, they
are written in
That's a rather odd question. Microsoft has been (rightly) criticized
for providing server *applications* that are insecurely configured (as
you point out), but php is not an application. Php is a language, so
until a program or script is written and accessible from the server, it
does
Salut,
On Sun, 2006-06-25 at 08:42 +1000, Darren Reed wrote:
There have barely a *handful* of JRE/JVM security problems.
I know for the fact that there are quite some though. Also, what should
one think about a company that didn't manage to fix a simple path
traversal vulnerability in their
In some mail from Tonnerre Lombard, sie said:
Salut,
On Sun, 2006-06-25 at 08:42 +1000, Darren Reed wrote:
There have barely a *handful* of JRE/JVM security problems.
I know for the fact that there are quite some though. Also, what should
one think about a company that didn't manage to
You may be making some erroneous assumptions about who, or what, PHP
quantifies a web developer as. As the manual notes, PHP scales,
security wide, from extremely rigid to extremely flexible, as needed.
It is simultaneously being used as a multi-million-users piece of core
software
On Jun 24, 2006, at 3:42 PM, Darren Reed wrote:
In some mail from john mullee, sie said:
--- Darren Reed [EMAIL PROTECTED] wrote:
I guess most of the remaining offending apps were written in C: as
much as 96% ?!!
(including basically all of microsoft's stuff!!)
Surely the least secure
...
The configuration flexibility of PHP is equally rivalled by the code
flexibility. PHP can be used to build complete server applications,
with all the power of a shell user, or it can be used for simple
server-side includes with little risk in a tightly controlled
environment. How you
Geo. wrote:
...
The configuration flexibility of PHP is equally rivalled by the code
flexibility. PHP can be used to build complete server applications,
with all the power of a shell user, or it can be used for simple
server-side includes with little risk in a tightly controlled
environment.
* Geo. ([EMAIL PROTECTED]) wrote:
...
The configuration flexibility of PHP is equally rivalled by the code
flexibility. PHP can be used to build complete server applications,
with all the power of a shell user, or it can be used for simple
server-side includes with little risk in a
Om 18:06 op maandag 26 juni 2006, Geo.:
...
The configuration flexibility of PHP is equally rivalled by the code
flexibility. PHP can be used to build complete server applications,
with all the power of a shell user, or it can be used for simple
server-side includes with little risk in a
The other is to contrive a language that is both sufficient for dynamic
web content development, and also *not* Turing-complete. I have no idea
what such a language might look like, or even whether the intersection
of these two requirements is the null set.
Nice idea, but PHP in its default
In some mail from john mullee, sie said:
--- Darren Reed [EMAIL PROTECTED] wrote:
From my own mail archives, PHP appears to make up at least 4%
of the email to bugtraq I see - or over 1000 issues since 1995,
out of the 25,000 I have saved.
People complain about applications like
On Fri, 23 Jun 2006, Crispin Cowan wrote:
[EMAIL PROTECTED] wrote:
Trying to make the language 'safe' won't fix it because the language
is not the problem. The real problem is the way PHP is presented to
most new developers.
* snip *
That is a fascinating perspective.
Web
I think that any ability of the (l)users to expose executables as web
services threatens the security of the web server machine, irrespective of
programming language. (But I don't see how it threatens the internet --
they can already connect their own misconfigured machine to the net
Trying to make the language 'safe' won't fix it because the language is not the
problem. The real problem is the way PHP is presented to most new developers.
PHP has been introduced as a tool for the web developer. As a language its goal
is to allow web developers to write dynamically
[EMAIL PROTECTED] wrote:
Trying to make the language 'safe' won't fix it because the language is not
the problem. The real problem is the way PHP is presented to most new
developers.
PHP has been introduced as a tool for the web developer. As a language its
goal is to allow web
--- Darren Reed [EMAIL PROTECTED] wrote:
From my own mail archives, PHP appears to make up at least 4%
of the email to bugtraq I see - or over 1000 issues since 1995,
out of the 25,000 I have saved.
People complain about applications like sendmail...in the same
period, it has been
Geo. wrote:
I think when evaluating how dangerous something is to the internet you have
to look at how it's used and how much risk that creates.
For example, allowing users to upload and execute any C executable file to a
public web server can prove to be quite dangerous.
I think the same
I'm not too sure you can count phpBB as the winner here. As far as I
can recall, it has had only two major vulns. I would say the winner
would be something like phpNUKE (to put my point, phpNUKE has had 31
vulns from 2003 to present day of which most are unpatched, where as
phpBB has had 32 in
For example, allowing users to upload and execute any C executable file to a
public web server can prove to be quite dangerous.
I think the same can be said for allowing PHP on a public web server, you
have just allowed anyone with a website to compromise the entire machine.
I think the relevant
Do you not think stuff like this should be pointed out to the public so
that
when selecting a web host they know that one who supports PHP may be
putting
them at extreme risk compared to one who is a bit more security conscious?
Well then we better start having web hosting companies who
Well then we better start having web hosting companies who support ASP,
Perl, CGI etc. be pointed out to the public so that when selecting a web
host they know that they might be being put into an extreme risk
situation.
Yes that's exactly the point, the risks for each should be pointed out.
On Jun 16, 2006, at 5:21 AM, Darren Reed wrote:
[Funny commentary picking on PHP deleted]
For those of us that have to administer shared hosting servers where
customers can and do build/install very poorly written web
applications it can be a full time job trying to protect your
server.
On 6/16/06, Darren Reed [EMAIL PROTECTED] wrote:
From my own mail archives, PHP appears to make up at least 4%
of the email to bugtraq I see - or over 1000 issues since 1995,
out of the 25,000 I have saved.
People complain about applications like sendmail...in the same
period, it has been
Darren Reed said:
From my own mail archives, PHP appears to make up at least 4% of the
email to bugtraq I see - or over 1000 issues since 1995, out of the
25,000 I have saved.
Do you mean the PHP interpreter? Or applications written in PHP?
I'm not sure how many vulnerabilities were in
On Fri, 16 Jun 2006, Darren Reed wrote:
From my own mail archives, PHP appears to make up at least 4% of the
email to bugtraq I see - or over 1000 issues since 1995, out of the
25,000 I have saved.
People complain about applications like sendmail...in the same period,
it has been
29 matches
Mail list logo
