Re: PHP security (or the lack thereof)
I'm not too sure you can count phpBB as "the winner" here. As far as I
can recall, it has had only two major vulns. I would say "the winner"
would be something like phpNUKE (to put my point, phpNUKE has had 31
vulns from 2003 to present day of which most are unpatched, where as
phpBB has had 32 in the same range, but *all* are patched, and most
are due to IE parsing some of the most invalid HTML to allow XSS.
(about 11 of the 32 are pure XSS due to IE).
You're quite right that the comparison of PHP to sendmail is
apples/oranges. However, when you have a language which "anyone" can
use, you're going to get a huge number of people who use it
incorrectly with the results as you see here. This will only increase,
as more and more hosts have PHP enabled, and PHP becomes easier to
install.
That's not to say the PHP group have not been working on the issue;
their recent meeting about PHP6 saw the dropping of things like magic
quotes, open basedir, and talks about including code to allow fopen to
access remote URL's, but making it a separate option which is disabled
by default that controls the use of URL's in include() and the like.
Talks about sandboxing have also been done, however it was decided
that there's no decent secure way to sandbox a PHP application at
present.
Jessica
On 6/17/06, Bojan Zdrnja <bojan.zdrnja@xxxxxxxxx> wrote:
On 6/16/06, Darren Reed <avalon@xxxxxxxxxxxxxxxxxxx> wrote:
>
> From my own mail archives, PHP appears to make up at least 4%
> of the email to bugtraq I see - or over 1000 issues since 1995,
> out of the 25,000 I have saved.
>
> People complain about applications like sendmail...in the same
> period, it has been resopnsible for less than 200.
>
> Do we have a new contender for worst security offender ever
> written ?
Well, PHP is a programming language and Sendmail is an application -
I'd say you are comparing apples and oranges here.
If you really want to compare applications, take phpBB for example
(which is the winner in this case), but I don't think it makes much
sense looking for a new contender for worst security offender ever
written ...
Bojan