Full Disclosure mailing list archives
Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
From: "KJK::Hyperion" <hackbunny () s0ftpj org>
Date: Mon, 08 Oct 2007 05:13:46 +0200
Geo. ha scritto:
2) That said program can protect itself against overtly malicious input.Ok then, I can mark you down as one who believes that all the php exploits blamed on bad code writing are actually the fault of php and not the application coded using it's powerful functionality?
No no, mark *me*. PHP is the language... ... that didn't support prepared SQL statements until *revision 5* ... whose syntax can be changed arbitrarily by configuration ... whose applications can, by default, have their code arbitrarily overwritten by environment variables and user input ... that doesn't have a "text string" data type, despite being expected to output text by default ... whose "faux text string" type is counted and NUL-terminated at the same time, inspiring the misguided belief that they can be safely passed by pointer to external libraries written in C. Never mind the embedded NULs, what about encoding issues? ... where the "0" string counts as "false" ... meant for web application development, but without any shape, form or sort of security model, outside of global policies. Even Netscape's server side Javascript had data tainting, god damn it ... that makes auditing impossible by allowing three or four different semantics for any dangerous operation (file I/O, process creation...), some of which overloads of generic functions ... without structured error handling ... without a library model PHP promotes piecemeal development of shoddy throw-away applications pretty much by design, and it does so proudly. No coincidence that it was mated to MySQL, of all databases. They're like the Britney Spears and K-Fed of web applications I mean, have you ever seen an ASP, ASP.NET or Java EE application mangle your single quotes and backslashes? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype, (continued)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Lamer Buster (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Geo. (Oct 06)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype James Matthews (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Geo. (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype 3APA3A (Oct 08)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Valdis . Kletnieks (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Geo. (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype gjgowey (Oct 07)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype john lokka (Oct 09)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype KJK::Hyperion (Oct 09)
- Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available KJK::Hyperion (Oct 13)
- Re: Third-party patch for CVE-2007-3896, UPDATE NOW KJK::Hyperion (Oct 17)
- I made third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) KJK::Hyperion (Oct 14)
- Re: I made third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) KJK::Hyperion (Oct 14)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Thierry Zoller (Oct 11)
- Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Roger A. Grimes (Oct 07)