Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: How secure is PHP ?
From: Ron DuFresne <dufresne () winternet com>
Date: Mon, 22 Nov 2004 23:43:58 -0600 (CST)

On Thu, 4 Nov 2004, Stefan Esser wrote:

Nice try Ron,

while PHP indeed had lots of advisories in the past, your
list is FUD.

It's not *my* list, just happens to be the list I grabbed for context to
this thread.  The list was compliled over the years on security focus, I
claim no ownership! <smile>.

Many of the listed vulnerabilities are within non standard
or even EXPERIMENTAL extensions, are theoretical vulnerabilities,
are only exploitable if precondition a,b,c,d,e,f,g is fullfilled
or are only affecting the windows platform.

Look, even if as you say many are either requiring other specifics to be
sploited, that does not cover all, and even if the remaining have been
corrected at present, this still leaves php with a poor track record over
a shrt span of time.  And this does not even cover the point I infered
about there being, what did I mention earlier, like 74 php modules or
applications also listed in the same database with their own distinct
issues, some popping into context weekly or bi-weekly to these lists.  Now
as Gary wished to infer, "the problem is not php, it's the code, having
php as a apache module in and of itself does not make the website
sploitable", sure, this might be a fact at present, merely having the php
module running and not code present might not be a risk for what has been
so far discovered with php. But, why would one have a dead module running
under their httpd?  Now, let's imagine that for all intents and purposes
that all issues with php itself have been found and released and fixed.
Then I still hold to my statement that for the vast majority of folks who
do web apps and html tagging, php is far too;

it's too unweildly for the light at heart coders that dominate

Gary might well be that special php coder that always creates secure code,
perhaps you yourself fall into that space as well, that still leaves an
estimated 75% or more of all web applications in security muck <I know not
all are written in php> so if the base problem is all in the code, after
working out the interpreteres issues, then php still falls into a realm
I'm not putting anyplace but on my DMZ's, and not letting it pass inside
the perimiter, sorry.  The vast majority of web application coders are not
up to the task.


Ron DuFresne
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]