> Neil Neely wrote:
> For those of us that have to administer shared hosting
> servers where customers can and do build/install very poorly
> written web applications it can be a full time job trying to
> protect your server.
Snip
At my the ISP I used to run, we used a "chroot jail" so that ev
Would you prefer to use something that was designed to be secure
or something that had security applied to it as an afterthought?
As time goes by, if something is designed to be secure then the
number of bugs that impact security should diminish with time
because they are flaws in the implementat
On Monday 26 June 2006 10:38 pm, Ronald Chmara wrote:
> On Jun 24, 2006, at 3:42 PM, Darren Reed wrote:
> > In some mail from john mullee, sie said:
> >> --- Darren Reed <[EMAIL PROTECTED]> wrote:
> >> I guess most of the remaining offending apps were written in C: as
> >> much as 96% ?!!
> >> (inc
This one time, at band camp, "Geo." <[EMAIL PROTECTED]> wrote:
> There are lots of web programs written in perl, asp, even cold fusion. But
> when I watch the security lists I see exploit after exploit for web
> applications and the vast majority of them have one thing in common, they
> are writ
In some mail from Tonnerre Lombard, sie said:
> Salut,
>
> On Sun, 2006-06-25 at 08:42 +1000, Darren Reed wrote:
> > There have barely a *handful* of JRE/JVM security problems.
>
> I know for the fact that there are quite some though. Also, what should
> one think about a company that didn't mana
Salut,
On Sun, 2006-06-25 at 08:42 +1000, Darren Reed wrote:
> There have barely a *handful* of JRE/JVM security problems.
I know for the fact that there are quite some though. Also, what should
one think about a company that didn't manage to fix a simple path
traversal vulnerability in their jar
> That's a rather odd question. Microsoft has been (rightly) criticized
> for providing server *applications* that are insecurely configured (as
> you point out), but php is not an application. Php is a language, so
> until a program or script is written and accessible from the server, it
> does
> > Is php secure by default when it's installed on a server?
> >
>
> This question does not really have any meaning. If you ask, if php
> _applications_ are secure by default, the answer is of course "it
> depends" (most php applications are broken. Just do a
> "grep -R eval ." and see for yoursel
On Jun 24, 2006, at 3:42 PM, Darren Reed wrote:
In some mail from john mullee, sie said:
--- Darren Reed <[EMAIL PROTECTED]> wrote:
I guess most of the remaining offending apps were written in C: as
much as 96% ?!!
(including basically all of microsoft's stuff!!)
Surely the least secure langu
> You may be making some erroneous assumptions about who, or what, PHP
> quantifies a "web developer" as. As the manual notes, PHP scales,
> security wide, from extremely rigid to extremely flexible, as needed.
> It is simultaneously being used as a multi-million-users piece of core
> soft
Crispin Cowan wrote:
> > Trying to make the language 'safe' won't fix it because the
> > language is not the problem. The real problem is the way PHP is
> > presented to most new developers.
> >
> > PHP has been introduced as a tool for the web developer. As a
> > language its goal is "to allow w
On Fri, 23 Jun 2006, Crispin Cowan wrote:
> [EMAIL PROTECTED] wrote:
> > Trying to make the language 'safe' won't fix it because the language
> > is not the problem. The real problem is the way PHP is presented to
> > most new developers.
> >
> > * snip *
> >
> That is a fascinating perspective.
In some mail from john mullee, sie said:
>
> --- Darren Reed <[EMAIL PROTECTED]> wrote:
> > From my own mail archives, PHP appears to make up at least 4%
> > of the email to bugtraq I see - or over 1000 issues since 1995,
> > out of the 25,000 I have saved.
> >
> > People complain about applicati
> The other is to contrive a language that is both sufficient for dynamic
> web content development, and also *not* Turing-complete. I have no idea
> what such a language might look like, or even whether the intersection
> of these two requirements is the null set.
Nice idea, but PHP in its default
Om 18:06 op maandag 26 juni 2006, Geo.:
> ...
>> "The configuration flexibility of PHP is equally rivalled by the code
>> flexibility. PHP can be used to build complete server applications,
>> with all the power of a shell user, or it can be used for simple
>> server-side includes with little ri
* Geo. ([EMAIL PROTECTED]) wrote:
> ...
> > "The configuration flexibility of PHP is equally rivalled by the code
> > flexibility. PHP can be used to build complete server applications,
> > with all the power of a shell user, or it can be used for simple
> > server-side includes with little risk
Geo. wrote:
...
"The configuration flexibility of PHP is equally rivalled by the code
flexibility. PHP can be used to build complete server applications,
with all the power of a shell user, or it can be used for simple
server-side includes with little risk in a tightly controlled
environment.
...
> "The configuration flexibility of PHP is equally rivalled by the code
> flexibility. PHP can be used to build complete server applications,
> with all the power of a shell user, or it can be used for simple
> server-side includes with little risk in a tightly controlled
> environment. How y
On Jun 21, 2006, at 4:52 PM, [EMAIL PROTECTED] wrote:
Trying to make the language 'safe' won't fix it because the language
is not the problem. The real problem is the way PHP is presented to
most new developers.
PHP has been introduced as a tool for the web developer. As a language
its goal is
> I think that any ability of the (l)users to expose executables as web
> services threatens the security of the web server machine, irrespective of
> programming language. (But I don't see how it threatens "the internet" --
> they can already connect their own misconfigured machine to the net
di
--- Darren Reed <[EMAIL PROTECTED]> wrote:
> From my own mail archives, PHP appears to make up at least 4%
> of the email to bugtraq I see - or over 1000 issues since 1995,
> out of the 25,000 I have saved.
>
> People complain about applications like sendmail...in the same
> period, it has been re
[EMAIL PROTECTED] wrote:
> Trying to make the language 'safe' won't fix it because the language is not
> the problem. The real problem is the way PHP is presented to most new
> developers.
>
>
> PHP has been introduced as a tool for the web developer. As a language its
> goal is "to allow web de
Trying to make the language 'safe' won't fix it because the language is not the
problem. The real problem is the way PHP is presented to most new developers.
PHP has been introduced as a tool for the web developer. As a language its goal
is "to allow web developers to write dynamically generate
Geo. wrote:
> I think when evaluating how dangerous something is to the internet you have
> to look at how it's used and how much risk that creates.
>
> For example, allowing users to upload and execute any C executable file to a
> public web server can prove to be quite dangerous.
>
> I think the
> Well then we better start having web hosting companies who support ASP,
> Perl, CGI etc. be pointed out to the public so that when selecting a web
> host they know that they might be being put into an extreme risk
situation.
Yes that's exactly the point, the risks for each should be pointed out
> Do you not think stuff like this should be pointed out to the public so
that
> when selecting a web host they know that one who supports PHP may be
putting
> them at extreme risk compared to one who is a bit more security conscious?
Well then we better start having web hosting companies who supp
>For example, allowing users to upload and execute any C executable file to a
>public web server can prove to be quite dangerous.
>
>I think the same can be said for allowing PHP on a public web server, you
>have just allowed anyone with a website to compromise the entire machine.
I think the rele
I'm not too sure you can count phpBB as "the winner" here. As far as I
can recall, it has had only two major vulns. I would say "the winner"
would be something like phpNUKE (to put my point, phpNUKE has had 31
vulns from 2003 to present day of which most are unpatched, where as
phpBB has had 32 in
On Jun 16, 2006, at 5:21 AM, Darren Reed wrote:
[Funny commentary picking on PHP deleted]
For those of us that have to administer shared hosting servers where
customers can and do build/install very poorly written web
applications it can be a full time job trying to protect your
server.
> this is an unfair comparison, i think, and you're not the first to make
> such an argument. PHP is a language, one that lends itself to insecure
> paradigms and practices. but, so does C and it's built in string handling
> functions, and that's a similar source of security bugs over the years.
>
On Fri, 16 Jun 2006, Darren Reed wrote:
From my own mail archives, PHP appears to make up at least 4% of the
email to bugtraq I see - or over 1000 issues since 1995, out of the
25,000 I have saved.
People complain about applications like sendmail...in the same period,
it has been resopnsible
Darren Reed said:
> From my own mail archives, PHP appears to make up at least 4% of the
> email to bugtraq I see - or over 1000 issues since 1995, out of the
> 25,000 I have saved.
Do you mean the PHP interpreter? Or applications written in PHP?
I'm not sure how many vulnerabilities were i
On 6/16/06, Darren Reed <[EMAIL PROTECTED]> wrote:
From my own mail archives, PHP appears to make up at least 4%
of the email to bugtraq I see - or over 1000 issues since 1995,
out of the 25,000 I have saved.
People complain about applications like sendmail...in the same
period, it has been res
33 matches
Mail list logo