WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Languages/platforms used for Web apps. Any stats?

From: Steve McCullough <website () showmethesmut com>
Date: Sun, 26 Jun 2005 07:42:55 +0000
In my experience, most web hosting companies try to limit the ability of
scripts to compromise their servers (by, for instance, denying the
script daemon write access to the filesystem), and leave the security of
the application logic up to the customer.

This compartmentalization generally also means that the customers have
to trust that the hosting provided uses well-configured, well-monitored,
well-patched servers.

Steve

-- 
Steve McCullough
web developer, S.M.U.T. Magazine > www.showmethesmut.com



focus () karsites net wrote:

One of the major problems with PHP and other server sided 
languages provided by web hosting services is the fact 
that the web hosting provider has no control over the code 
written by their customers. This leads to all sorts of 
security holes being left wide open. The most obvious one 
is not checking variable content submitted by user forms.
I cannot see any way around this. 

The customer, possible a newbie to SSS, wants PHP or ASP 
available on their website, so they can experiment with 
writing scripts. The hosting providers offer the required 
SSS language to attract business.

The hosting provider has no idea what scripts their 
customers are writing, and uploading to the hosts server.

Seems like a recipe for disaster to me really.

Just my 2 cents.

Keith Roberts

http://www.karsites.net/
Previous By Date Next
Previous By Thread Next

Current thread: