Re: PHP security (or the lack thereof)
Darren Reed said:
> From my own mail archives, PHP appears to make up at least 4% of the
> email to bugtraq I see - or over 1000 issues since 1995, out of the
> 25,000 I have saved.
Do you mean the PHP interpreter? Or applications written in PHP?
I'm not sure how many vulnerabilities were in the PHP interpreter
itself, but it looks like it's about 150 or so.
Applications that are WRITTEN in PHP, however, probably cover 20% or
more of all reported vulns this year. This is just a hunch - I don't
have any way of proving this. Most PHP apps don't have "php" in their
name, and I don't know of a vulnerability database that records which
programming language was used for an application. But the rest of
your email matches on "php" were probably PHP applications.
>People complain about applications like sendmail...in the same period,
>it has been resopnsible for less than 200.
It's more appropriate to compare the PHP language to the C language,
or to compare Sendmail to various high-profile PHP applications.
>Do we have a new contender for worst security offender ever written
Over the years, the PHP language has made it very easy for
inexperienced application programmers to shoot themselves in the foot,
and it has features that even experienced programmers might not know
to defend against. Sounds kinda like C, doesn't it?
One thing with PHP though, you don't need much training before you can
put together a usable program. Powerful features plus lots of
non-expert programmers equals a lot of vulnerabilities, regardless of
the language. PHP is slowly removing the most dangerous features, or
at least not enabling them by default.
I suspect that a large percentage of vulnerabilities could be fixed
with programming languages with built-in security considerations, and
an API that makes it easy or transparent to do safer programming.
- Steve
=======================================================================
Disclaimer: this document was publicly posted to foster timely
technical exchange. It may contain errors or omissions. The views
and opinions being expressed are those of Steve Christey and do not
necessarily reflect the views of The MITRE Corporation. Members of
the press are requested to contact me directly before quoting any
statements in this document.