Bugtraq mailing list archives
Re: PHP security (or the lack thereof)
From: Ronald Chmara <ron () Opus1 COM>
Date: Mon, 26 Jun 2006 20:38:32 -0700
On Jun 24, 2006, at 3:42 PM, Darren Reed wrote:
In some mail from john mullee, sie said:--- Darren Reed <avalon () caligula anu edu au> wrote:I guess most of the remaining offending apps were written in C: as much as 96% ?!!(including basically all of microsoft's stuff!!) Surely the least secure language of all time !!! Note also that no vulnerable apps were written in:- cobol, rpg3, prolog, ada, scheme, lisp, pl/1, occam, modula-2, or MIXBut in the 1990s, Java was created. Java applications exist. Java servlets and applets also exist. There have barely a *handful* of JRE/JVM security problems.
Since this discussion started with dubious metrics (using how many posts were made to a discussion list, rather than how many security issues have been reported), I thought it might be wiser to use something with firmer metrics, actual CVE reports (insert disclaimer here):
Popular Web languages: <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Python> has 17. <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jsp> has 74. <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Perl> has 94. <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ASP> has 113. <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Java> has 152. <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Javascript> has 288. <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cgi> has 576. <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=PHP> has 1181. Web servers: <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=IIS> has 147. <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Apache> has 193. The usual suspects:<http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SQL+injection> has 1434.
<http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=XSS> has 2121.
So the point of this is to say that new, modern, development languages that are secure
For the fun of comparing apples and oranges: <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Sendmail> has 61.The newish Java language has more holes than the venerable sendmail application? ;-)
can be and are being developed and used. That PHP is relatively new with respect to computing and has so many security problems should be an embaressment to its developers and users.
Or, alternately, perhaps Java is relatively new and also *rarely ever used, or deployed*, in comparison to PHP, which means that many fewer holes will ever be created, and thus, found.
Let's find some numbers... ah, here we go: <http://www.securityspace.com/s_survey/data/man.200605/apachemods.html> Top PHP apache mods: PHP: 5.69 million hosts PHP-CGI: .28 million hosts Top Java apache mods: mod_jk: .41 million hosts Jserv .1 million hosts5.97 million PHP hosts, 43.1% marketshare, vs .51 million Java hosts, 3.72% marketshare.
1181 PHP CVEs vs. 152 Java CVEs.Only 8.5% of PHP's market share, but 12.8% of PHP's bugs? Is Java *less* secure than PHP? (Yikes... Mark Twain and all...)
Or to put it another way, if there are so many security problems with PHP then the PHP development model or use model needs to be seriously reconsidered and redeveloped such that it is immune to such security issues. This may, of course, mean throwing away PHP and starting over (see C/C++ -> Java).
As another poster pointed out to me quite eloquently, the learning curve seems to be the problem.
Apparently, PHP is too easy to use.I say that with all seriousness, and kidding. Because PHP isn't hard to use, people who are inexperienced with writing secure internet applications are apparently using it to write Bad Code(tm) in droves.
-Bop -- 4245 NE Alberta Ct. Portland, OR 97218 503-282-1370
Current thread:
- Re: PHP security (or the lack thereof), (continued)
- Re: PHP security (or the lack thereof) Bojan Zdrnja (Jun 17)
- Re: PHP security (or the lack thereof) Jessica Hope (Jun 21)
- Re: PHP security (or the lack thereof) Jose Nazario (Jun 17)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) kicktd (Jun 21)
- Re: PHP security (or the lack thereof) Geo. (Jun 21)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 22)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) Bojan Zdrnja (Jun 17)
- Re: PHP security (or the lack thereof) Neil Neely (Jun 19)
- Re: PHP security (or the lack thereof) john mullee (Jun 23)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 27)
- Re: PHP security (or the lack thereof) Tonnerre Lombard (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Geo. (Jun 23)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Daniel Hulme (Jun 26)
- Re: PHP security (or the lack thereof) Tobias J. Kreidl (Jun 26)
- Re: PHP security (or the lack thereof) Glynn Clements (Jun 27)