----- Original Message ----- From: "Chris Berry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 01, 2003 3:42 AM Subject: Re: Ten least secure programs
> >From: Mitch Pirtle <[EMAIL PROTECTED]> > >7) BIND > > I thought about listing that one, but there aren't really any alternatives > are there? No point in complaining if you can't switch to something else. DJBDNS http://www.djbdns.org/ > >Oh, IMNSHO, PHP isn't insecure, its the people using it. I could do > >just as much damage writing something in Perl, .NET, even HTML... > >Pretty much anything 'cept python ;^P > > It just seems like I get a ton of vulnerability reports from PHP itself and > programs written using it, could be because it's popular, but I don't think > that's the whole story. > Some exploits exist directly due to the fault of the engine, but most are due to the fact that it gives "newbie" or non security minded programmers a lot of power, easily. Writing a non XSS(for example) vulnerable app is quite possible in PHP, it's just not easy. Perl at least has libraries for sanitizing input.* *Disclaimer: I haven't seen much info on sanitizing input in PHP, maybe there is some. Nick --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
