Secure Coding mailing list archives
PHP security under scrutiny
From: jms at bughunter.ca (J. M. Seitz)
Date: Tue, 19 Dec 2006 07:50:40 -0800
Yeah I can personally attest to that, after spending a few months on the OSVDB as a mangler and developer, I quickly realized that the bevy of vulnerabilities we worked on everyday were primarily PHP based. Now granted setting "register_globals off" (which essentially prevents a user from overwriting variables in a page) will mitigate most of these vulnerabilities it was still alarming to see. Not to mention the fact that most people are spending their time looking for XSS or SQL injections, whereas the upward trend looked more like remote file inclusion vulnerabilities which are more dangerous to the host machine, rather than an unsuspecting end-user. Maybe someone can remind me of who said "Once the bad guy is running code on your machine, it's no longer your machine." :) JS _____ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Tuesday, December 19, 2006 7:33 AM To: Secure Coding Subject: [SC-L] PHP security under scrutiny Interesting article about PHP security: http://www.securityfocus.com/news/11430 Among other things, NIST's vul database shows, "Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006, up from 29 percent in 2005." Happy reading... Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061219/87513b9a/attachment.html
Current thread:
- PHP security under scrutiny Kenneth Van Wyk (Dec 19)