Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]

To: "Kevin Waterson" <kevin@xxxxxxxxxxx>
Subject: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
From: "Jamie Riden" <jamie.riden@xxxxxxxxx>
Date: Sat, 25 Feb 2006 10:07:52 +1300
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TDTxosPtedE9W4gx8u8jqxk44xVAdxnLVDbxJ6j5v9FjG2iRAgpxKxZbHF08KS460tvk6YilgcSDT04ZoDEr6hymLVwBCQT2hAB4y4LmP4yc+rTuQYnoCDD12YL1dAGq4WLdNM5nJIMymW74HBMSsdDtTT4Jif4Hw2CUsQQV4fo=
In-reply-to: <20060222214855.144ca895.kevin@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <43F7A252.2040307@xxxxxxxxxxxx> <Pine.LNX.4.61.0602201749300.22544@xxxxxxxxxxxxxxxx> <43FA2508.7030008@xxxxxxxxxxxx> <20060222214855.144ca895.kevin@xxxxxxxxxxx>

On 22/02/06, Kevin Waterson <kevin@xxxxxxxxxxx> wrote:
> This one time, at band camp, Gadi Evron <ge@xxxxxxxxxxxx> wrote:
>
> > 3. Staying on top of new PHP vulnerabilities has become impossible,
> > popping around everywhere.
>
> What vulnerabilities in PHP?
> Are implying the fault is within the language itself?

I think Gadi meant vulnerabilities in PHP applications; though the
language doesn't make it particularly easy to write secure code.

> This is akin to saying C has vulnerabilites because some script kiddie
> wrote a poor application.

Like this ?

"We can give you advice on how to write good cryptographic code. Avoid
any programming language that allows buffer overflows. Specifically:
don't use C or C++" -- Practical Cryptography, Schneier and Ferguson,
(p149 in my copy).

It's a point of view that has something to be said for it. You *can*
write secure code in C and PHP, but it takes a lot of care and most
programmers don't take that care. I've been told privately that one
penetration tester could gain system privileges on the majority of
webservers he checked; that used to surprise me, but doesn't any
longer. I don't whether that's a 'vulnerability', 'disadvantage' or
'feature' of PHP and other scripting languages.

cheers,
 Jamie
--
Jamie Riden / jamesr@xxxxxxxxxx / jamie.riden@xxxxxxxxx

References:
- new linux malware
  - From: Gadi Evron
- Re: new linux malware
  - From: Christine Kronberg
- PHP as a secure language? PHP worms? [was: Re: new linux malware]
  - From: Gadi Evron
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
  - From: Kevin Waterson

Prev by Date: RE: Vulnerabilites in new laws on computer hacking
Next by Date: Re: H&R Block contact
Previous by thread: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Next by thread: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Index(es):
- Date
- Thread