WebApp Sec mailing list archives
Re: Anyone have some basic security tips for PHP-programmers?
From: Andreas <exon () home se>
Date: Tue, 25 Nov 2003 12:31:51 +0100
Härnhammar wrote:
Those are all bugs in the program being called. I see your point, but the solution in this case is to patch the flawed program. Wrapping the 'real' program in fool-proof script-blankets is not only impossible, it also requires indepth knowledge about the software being called. If you have that knowledge you could easily patch the 'real' program instead.Quoting "Herbold, John W." <JWHERBOLD () arkbluecross com>:but PHP is NOT vulnerable to buffer overflows from PHP scriptsA quick search on Goggle for "PHP buffer overflow" shows otherwise.A program written in a scripting language might at some point send data to a program written in a compiled language. Common examples include MySQL and sendmail. Thus, if we only check what characters are used and not the length of data fields, people could conceivably crack a sendmail server through our script, even if they can't connect to it directly.Moral of the story: always check lengths as well, and avoid regular expression characters such as * or +, as they allow an unlimited amount of something.
On a side-note:It's ofcourse never a good idea to pass user-supplied data to a program, but that doesn't necessarily involve bugs for it to be exploitable. I thought this was self-explanatory, but apparently I was wrong.
/Andreas
Current thread:
- Re: Anyone have some basic security tips for PHP-programmers?, (continued)
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? Herbold, John W. (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? exon (Nov 24)
- RE: Anyone have some basic security tips for PHP-programmers? Herbold, John W. (Nov 24)
- RE: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 24)
- Re: Anyone have some basic security tips for PHP-programmers? Andreas (Nov 25)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 25)
- Re: Anyone have some basic security tips for PHP-programmers? Sverre H. Huseby (Nov 25)
- RE: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 24)