RE: PHP security (or the lack thereof)

["Geo." <geoincidents () nls net>]

> That's a rather odd question.  Microsoft has been (rightly) criticized
> for providing server *applications* that are insecurely configured (as
> you point out), but php is not an application.  Php is a language, so
> until a program or script is written and accessible from the server, it
> does nothing.  Php, by itself, is not accessible externally because it's
> not running a daemon that opens a port.

I don't agree.

There are lots of web programs written in perl, asp, even cold fusion. But
when I watch the security lists I see exploit after exploit for web
applications and the vast majority of them have one thing in common, they
are written in PHP.

I'm not blaming PHP but you can't just ignore that and say it's meaningless,
it's an obvious pattern and it points to a problem with either the language
or the way it's configured or used. Whatever the reason, if we are going to
have a secure internet environment then people need to be aware of the
problem and solutions.

All that I've been suggesting is that SANS points out this danger, make
people aware that PHP based applications are being exploited at these levels
and focus attention on the problem. Perhaps a table of popular PHP based
applications and a count column of the number of exploits each has had to
patch so folks can make an informed decision when looking for php based web
apps.

Geo.