Full Disclosure mailing list archives
Re: How secure is PHP ?
From: "Gary E. Miller" <gem () rellim com>
Date: Thu, 4 Nov 2004 10:07:44 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Ron! On Thu, 4 Nov 2004, Ron DuFresne wrote:
I'm not sure php is all that safe for public consumption as you sir. A quick look at security focus, searching the vuln db for PHP, nothing more comes up with this history;
You neglected to include PHP Bug # or CERT identifiers so it is a bit hard to work with your list. Looking at the Official PHP Bug list I am having a hard time matching your list. Oh, you just searched those bozos at securityfocus. Wow, 7 whole problems with PHP/Linux at SecurityFocus in 2004! Wanna compare that to IIS or Apache(123), Java (5) during the same time? Funny thing searching SecurityFocus for IIS shows nothing for 2004? Yeah right. :-) I never said PHP was perfect, all popular software has had problems now and then. None of these could affect an Apache server that did not already execute PHP code. Just having the PHP installed in the Apache was not sufficient. Several do not seem to me (or the PHP folks) to be real bugs. Only one affected a LAMP system that is validateing all user input before using it and that was promptly fixed. None of these came close to affecting any PHP I have written or maintain. I'll take those odds any day, and of course will keep my systems fully patched. Since 50% of all Apache servers have PHP installed my opinion is pretty common.
2004-10-28: PHP cURL Open_Basedir Restriction Bypass Vulnerability
Non-standard extension based on C library. Bug #30610 marked as BOGUS. Since when is allowing the PROGRAMMER to access the local file system a problem? The PROGRAMMER is always supposed to validate user supplied input.
2004-10-25: PHP Remote Arbitrary Location File Upload Vulnerability
PHP Bug #28456. I do not agree this is a bug. PHP was just exporting the functionality of the standard C file i/o. If a program fails to validate the input it feeds to file system functions it is programmer error. The fact a file system function can do full pathing/globbing is a feature not a bug.
2004-10-25: PHP PHP_Variables Remote Memory Disclosure Vulnerability
Only applies if the programmer formats user supplied data without first validateing it. C printf has the same problem noone calls that a bug.
2004-10-16: PHP memory_limit Remote Code Execution Vulnerability
The one REAL problem here. Bug # 29241, was promptly fixed and depending on the programmer using specific code to be exploited. Closely related to a similar bug in Apache.
2004-09-15: PHP Strip_Tags() Function Bypass Vulnerability
Never used it. Trying to allow users to allow SOME html tags to be uploaded is just asking for problems. Man page ALWAYS warned about it's limitations. Only a problem if recommended safe PHP.INI config is not used and programmer failed to validate input.
2004-06-07: PHP Microsoft Windows Shell Escape Functions Command Execution Vulnerability
M$, blah, you deserve to be hacked.
2004-05-27: PHP Input/Ouput Wrapper Remote Include Function Command Execution Weakness
PHP Bug #28456. I do not agree this is a bug. If a program fails to validate the input it feeds to file system functions it is programmer error. The fact a file system function can do full pathing/globbing is a feature not a bug.
2004-03-24: PHP openlog() Buffer Overflow Vulnerability
No PHP Bug #. If the programmer logs unvalidated user supplied input there can be a problem. If code does this it is stupid anyway. Similar problem in C. RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem () rellim com Tel:+1(541)382-8588 Fax: +1(541)382-8676 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBim/28KZibdeR3qURAjqZAJ9I+phbXgMG2G9JhLt6hk7Jbp3jywCfbowO owGWx/gzcsZx3V7h2sBhajY= =E6Qq -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- How secure is PHP ? Nayana Somaratna (Nov 01)
- Re: How secure is PHP ? ph0enix (Nov 01)
- Re: How secure is PHP ? Gary E. Miller (Nov 01)
- Re: How secure is PHP ? Dan Margolis (Nov 02)
- Re: How secure is PHP ? Gary E. Miller (Nov 02)
- Re: How secure is PHP ? Ron DuFresne (Nov 04)
- Re: How secure is PHP ? Stefan Esser (Nov 04)
- Re: How secure is PHP ? Ron DuFresne (Nov 22)
- Re: How secure is PHP ? Gary E. Miller (Nov 04)
- Re: How secure is PHP ? Dan Margolis (Nov 02)
- Re: How secure is PHP ? Dan Margolis (Nov 11)
- <Possible follow-ups>
- RE: How secure is PHP ? Sandeep Sengupta (Nov 01)
- Re: How secure is PHP ? Meder Kydyraliev (Nov 01)
- Re: How secure is PHP ? J b (Nov 04)
- Re: How secure is PHP ? VeNoMouS (Nov 04)
- Re: How secure is PHP ? Matt (Nov 05)
- Re: How secure is PHP ? Gary E. Miller (Nov 05)
- Re: How secure is PHP ? Matt (Nov 05)