WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Languages/platforms used for Web apps. Any stats?

From: focus () karsites net
Date: Sat, 25 Jun 2005 06:51:31 +0100 (BST)

One of the major problems with PHP and other server sided 
languages provided by web hosting services is the fact 
that the web hosting provider has no control over the code 
written by their customers. This leads to all sorts of 
security holes being left wide open. The most obvious one 
is not checking variable content submitted by user forms.
I cannot see any way around this. 

The customer, possible a newbie to SSS, wants PHP or ASP 
available on their website, so they can experiment with 
writing scripts. The hosting providers offer the required 
SSS language to attract business.

The hosting provider has no idea what scripts their 
customers are writing, and uploading to the hosts server.

Seems like a recipe for disaster to me really.

Just my 2 cents.

Keith Roberts

http://www.karsites.net/

On Fri, 24 Jun 2005, Benjamin Livshits wrote:


Many vulnerabilities reported on SecurityFocus.com daily involve PHP
programs. I was wondering if that's a reflection of the fact that many Web
apps out there are written in PHP. Or is it that vulnerabilities in
proprietary apps that is written in Java or C# simply doesn't make it to
SecurityFocus.com?

Thanks.
-Ben
Previous By Date Next
Previous By Thread Next

Current thread: