Hmm. Not the most accurate post I've seen so far, but it reaches quite
high on the other side of the scale.
First of all, PHP is a scripting language with built-in overflow checking.
Not trusting user data (from $_POST, $_GET, or $_COOKIE) is ofcourse
healthy, but PHP is NOT vulnerable to buffer overflows from PHP scripts.
Second of all, PHP is a scripting language (heard it before?), which
means that the code doesn't GET compiled at all. It gets interpreted at
run-time by a parsing engine, just like any other scripting language.
Third of all, 'placing' a website on a server with a lot of memory does
absolutely nothing to improve security. It addresses performance and
nothing else.
Fourth of all, placing 'website code' (I suppose you mean HTML, PHP and
cgi-scripts) on a CD does NOT prevent it from being defaced. If the
system runs on writable media it's childsplay to anyone with root
access, half a brain and a friggin palm pilot to make the webserver
daemon read any directory they damn well please. Running the entire
system from a CD is a different matter, but it makes for extremely
cumbersome management and is generally not an option.
...
/Andreas Ericsson
Herbold, John W. wrote:
> A simple one, but watch for overflow. If you allow a user to input,
> use edits. Do not rely on HTML or Java edits, as they can bypass
> those by typing in the URL. It has also been recommended that all
> code gets compiled, so the code can not be compromised. I have also
> heard of placing the website code on a server with a lot of memory,
> and placing the entire website on a CD-ROM, so it can not be defaced.
>
>
> Thanks,
>
> John W. Herbold Jr.
> Security Specialist
> 501-399-3939
--
If riding in a plane is flying, then riding in a boat is swimming.
If you want to experience the element; get out of the vehicle!
Received on Nov 24 2003
Intro
