Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP security (or the lack thereof)

From: Matthias Kestenholz <lists () spinlock ch>
Date: Mon, 26 Jun 2006 19:32:55 +0200
* Geo. (geoincidents () nls net) wrote:

...

  "The configuration flexibility of PHP is equally rivalled by the code
flexibility. PHP can be used to build complete server applications,
with all the power of a shell user, or it can be used for simple
server-side includes with little risk in a tightly controlled
environment. How you build that environment, and how secure it is, is
largely up to the PHP developer."


And is the default install wide open or tightly controlled? I mean from a
security standpoint we have been screaming for years at Microsoft to change
their defaults to firewall on and things locked instead of open.

Is php secure by default when it's installed on a server?



This question does not really have any meaning. If you ask, if php
_applications_ are secure by default, the answer is of course "it
depends" (most php applications are broken. Just do a 
"grep -R eval ." and see for yourself)

The php safe_mode is not really safe. magic_quotes_gpc is broken by
design. Where does that leave us? Write secure code, validate all input
or get hacked, as is the case with every other software/language.
Previous By Date Next
Previous By Thread Next

Current thread: