Bugtraq mailing list archives
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Sat, 25 Feb 2006 10:07:52 +1300
On 22/02/06, Kevin Waterson <kevin () oceania net> wrote:
This one time, at band camp, Gadi Evron <ge () linuxbox org> wrote:3. Staying on top of new PHP vulnerabilities has become impossible, popping around everywhere.What vulnerabilities in PHP? Are implying the fault is within the language itself?
I think Gadi meant vulnerabilities in PHP applications; though the language doesn't make it particularly easy to write secure code.
This is akin to saying C has vulnerabilites because some script kiddie wrote a poor application.
Like this ? "We can give you advice on how to write good cryptographic code. Avoid any programming language that allows buffer overflows. Specifically: don't use C or C++" -- Practical Cryptography, Schneier and Ferguson, (p149 in my copy). It's a point of view that has something to be said for it. You *can* write secure code in C and PHP, but it takes a lot of care and most programmers don't take that care. I've been told privately that one penetration tester could gain system privileges on the majority of webservers he checked; that used to surprise me, but doesn't any longer. I don't whether that's a 'vulnerability', 'disadvantage' or 'feature' of PHP and other scripting languages. cheers, Jamie -- Jamie Riden / jamesr () europe com / jamie.riden () gmail com
Current thread:
- new linux malware Gadi Evron (Feb 20)
- Re: new linux malware Christine Kronberg (Feb 21)
- PHP as a secure language? PHP worms? [was: Re: new linux malware] Gadi Evron (Feb 22)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Christine Kronberg (Feb 21)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Thomas M. Payerle (Feb 26)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Kevin Waterson (Feb 24)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jamie Riden (Feb 26)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Matthew Schiros (Feb 26)
- PHP as a secure language? PHP worms? [was: Re: new linux malware] Gadi Evron (Feb 22)
- Re: new linux malware Christine Kronberg (Feb 21)
- Re: new linux malware Gadi Evron (Feb 22)
- Re: new linux malware Jamie Riden (Feb 23)