Re: Anyone have some basic security tips for PHP-programmers?

[Andreas <exon () home se>]

Härnhammar wrote:

> Quoting "Herbold, John W." <JWHERBOLD () arkbluecross com>:
>  
>
> > > but PHP is NOT vulnerable to buffer overflows from PHP scripts
> > >      
> > A quick search on Goggle for "PHP buffer overflow" shows otherwise.
> >    
>
> A program written in a scripting language might at some point send data to a program written in a compiled language. Common 
> examples include MySQL and sendmail. Thus, if we only check what characters are used and not the length of data fields, 
> people could conceivably crack a sendmail server through our script, even if they can't connect to it directly.
>
> Moral of the story: always check lengths as well, and avoid regular expression 
> characters such as * or +, as they allow an unlimited amount of something.
>
>  
Those are all bugs in the program being called. I see your point, but 
the solution in this case is to patch the flawed program. Wrapping the 
'real' program in fool-proof script-blankets is not only impossible, it 
also requires indepth knowledge about the software being called. If you 
have that knowledge you could easily patch the 'real' program instead.

On a side-note:
It's ofcourse never a good idea to pass user-supplied data to a program, 
but that doesn't necessarily involve bugs for it to be exploitable. I 
thought this was self-explanatory, but apparently I was wrong.


/Andreas