|
Full Disclosure
mailing list archives
Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
From: "KJK::Hyperion" <hackbunny () s0ftpj org>
Date: Mon, 08 Oct 2007 05:13:46 +0200
Geo. ha scritto:
2) That said program can protect itself against overtly malicious input.
Ok then, I can mark you down as one who believes that all the php exploits
blamed on bad code writing are actually the fault of php and not the
application coded using it's powerful functionality?
No no, mark *me*. PHP is the language...
... that didn't support prepared SQL statements until *revision 5*
... whose syntax can be changed arbitrarily by configuration
... whose applications can, by default, have their code arbitrarily
overwritten by environment variables and user input
... that doesn't have a "text string" data type, despite being expected
to output text by default
... whose "faux text string" type is counted and NUL-terminated at the
same time, inspiring the misguided belief that they can be safely passed
by pointer to external libraries written in C. Never mind the embedded
NULs, what about encoding issues?
... where the "0" string counts as "false"
... meant for web application development, but without any shape, form
or sort of security model, outside of global policies. Even Netscape's
server side Javascript had data tainting, god damn it
... that makes auditing impossible by allowing three or four different
semantics for any dangerous operation (file I/O, process creation...),
some of which overloads of generic functions
... without structured error handling
... without a library model
PHP promotes piecemeal development of shoddy throw-away applications
pretty much by design, and it does so proudly. No coincidence that it
was mated to MySQL, of all databases. They're like the Britney Spears
and K-Fed of web applications
I mean, have you ever seen an ASP, ASP.NET or Java EE application mangle
your single quotes and backslashes?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype, (continued)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Valdis . Kletnieks (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Geo. (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype gjgowey (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype john lokka (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 09)
- Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available KJK::Hyperion (Oct 13)
- Re: Third-party patch for CVE-2007-3896, UPDATE NOW KJK::Hyperion (Oct 17)
|
Intro
