Bugtraq mailing list archives
Re: PHP security (or the lack thereof)
From: "Geo." <geoincidents () nls net>
Date: Tue, 20 Jun 2006 06:02:23 -0400
Well then we better start having web hosting companies who support ASP, Perl, CGI etc. be pointed out to the public so that when selecting a web host they know that they might be being put into an extreme risk
situation. Yes that's exactly the point, the risks for each should be pointed out. Is there anyone here who follows the security lists that doesn't see a risk level difference between say asp and php? Whether it's caused by the number of insecure applications available, the amount of knowledge about a particular platform, the amount of time being spent checking for exploits, the number of people using those extentions, whatever, there is certainly a difference in the risk factor of having one set of extensions over another available on public web servers (or private for that matter). How would you evaluate the risk level between two hosting services one which offers only asp or perl and one which offers a two page checklist of extensions? How about just asp compared to dot net, do you not see the difference even without evaluating every piece of downloadable code written for each? Microsoft claims dot net is more secure (they claim everything new is more secure than their last version) and the security community sits by without comment. What we need is a rating system, a risk level assesment of each of the server side extensions available based on how powerful they are, how easy or difficult it is to write bad code, how often they require patching or the apps written for them require patching, how often each are being used to exploit servers, etc. We need some sort of a rating system that allows the users to see the difference and to understand that more doesn't always mean better. Geo.
Current thread:
- PHP security (or the lack thereof) Darren Reed (Jun 16)
- Re: PHP security (or the lack thereof) Bojan Zdrnja (Jun 17)
- Re: PHP security (or the lack thereof) Jessica Hope (Jun 21)
- Re: PHP security (or the lack thereof) Jose Nazario (Jun 17)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) kicktd (Jun 21)
- Re: PHP security (or the lack thereof) Geo. (Jun 21)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 22)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) Bojan Zdrnja (Jun 17)
- Re: PHP security (or the lack thereof) Neil Neely (Jun 19)
- Re: PHP security (or the lack thereof) john mullee (Jun 23)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 27)
- Re: PHP security (or the lack thereof) Tonnerre Lombard (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- <Possible follow-ups>
- Re: PHP security (or the lack thereof) Steven M. Christey (Jun 17)
- Re: PHP security (or the lack thereof) Alan J Rosenthal (Jun 21)
- Re: PHP security (or the lack thereof) Geo. (Jun 23)