dave b <db.pub.m...@gmail.com> writes:
> On 28 July 2010 12:23, Matthew Hannigan <m...@zip.com.au> wrote:
>> On Tue, Jul 27, 2010 at 04:04:05PM +1000, Ben Donohue wrote:
>> [ .... ]
>>> How about a DNS, squid and web server with multiple name based
>>> virtual domains on the same box?
>>>
>>> Is doing the above really dangerous on a fully patched and up to
>>> date system?
>>lso depends on the webapp.
>> I'd be more comfortable with java (especially with security
>> manager on) which is after all another form of vm.
>>
>> With php (wordpress, drupal, moodle, or home grown) definitely not
>> confortable.
>
> While I also dislike php, what did the last pm's website use ? drupal. What
> the president of the united states use - drupal. I can keep on going :)
Which government website had a big security hole from their CMS? *grin*
Not that you are wrong: using tools like WordPress, Drupal, Moodle, and Joomla
is reasonably safe, regardless of the language they are written in; their
security is primarily dependent on the quality of the authors.
One of the PHP problems is that there is so much "home grown" written in it
that, today, it lives in the same place that Perl did years back: as the go-to
language for people who don't know enough to write a secure application, so
build insecure things.[1]
> Java is like php, there are also language flaws coming out to bite you real
> soon. /me mutters something about OH MY THEY ESCAPED FROM THE JVM.
Do you have a reference for that?
> Also, if you really care about the security of the system - install
> grsecurity[1]. You shouldn't be taking any chances :P
...but why? What actual security value does that add, compared to the vanilla
kernels which do, oh, everything listed in their bullet point feature list,
and out of the box covers over eighty percent of them?
Pro tip: asserting that an RBAC system will increase security is silly without
actually understanding how it will be used; people can do things just as badly
with RBAC as without.
Daniel
Footnotes:
[1] Yes, IMO, the PHP language "design" encourages extremely poor practice,
and the almost religious avoidance of database abstraction makes SQL
injection issues more common, but fundamentally this isn't the cause of
the problems — since Perl with DBI wasn't that much better, frankly, on
the SQL injection front.
--
✣ Daniel Pittman ✉ dan...@rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
