Bugtraq mailing list archives

Re: PHP security (or the lack thereof)

From: Jose Nazario <jose () monkey org>
Date: Fri, 16 Jun 2006 21:50:37 -0400 (EDT)

On Fri, 16 Jun 2006, Darren Reed wrote:

From my own mail archives, PHP appears to make up at least 4% of theemail to bugtraq I see - or over 1000 issues since 1995, out of the25,000 I have saved.

People complain about applications like sendmail...in the same period,it has been resopnsible for less than 200.

this is an unfair comparison, i think, and you're not the first to makesuch an argument. PHP is a language, one that lends itself to insecureparadigms and practices. but, so does C and it's built in string handlingfunctions, and that's a similar source of security bugs over the years.Perl, in the wrong CGI programming hands, has caused a similar quantity ofissues.

how many of those issues you are referring to are core PHP issues? lookingthrough the stats provided by secunia for PHP 4 - PHP 5 i count up :


        version                 advisories listed by secunia
        -------                 ----------------------------
        PHP 5.1.x               7
        http://secunia.com/product/6796/

        PHP 5.0.x               13
        http://secunia.com/product/3919/

        PHP 4.4.x               9
        http://secunia.com/product/5768/

        PHP 4.3.x               20
        http://secunia.com/product/922/

        PHP 4.0.x               7
        http://secunia.com/product/1655/

so that's a total of 56 PHP core issues from PHP 4.0 onwards. unless PHP3.x and prior had over 944 such advisories in that time period (1995 tilpresent, your timeframe), i suspect you just did something akin to:


        grep -i ^subject:.*php .*$ bugtraq.mbox

and looked at the results. hardly reflective of core PHP issues, given thewide number of PHP applications that have had bugtraq posts written aboutthem.

my point is simple: if you're going to pick on something, compare applesto apples and not and oranges. if you pick on this huge flood of PHP appsthat have had security holes, then pick on C for a similar numbers of bugsover the years. pick on Perl and the number of poorly written CGI scriptsthat have had security bulletins over the years. i'm sure a few morelanguages could easily be added to that list.

bear in mind i'm no PHP (or Perl, or C) bigot. but really, if you're goingto complain about PHP, at least make your argument on reasonable grounds.


________
jose nazario, ph.d.                 jose () monkey org
http://monkey.org/~jose/            http://monkey.org/~jose/secnews.html
                                    http://www.wormblog.com/

Current thread:

PHP security (or the lack thereof) Darren Reed (Jun 16)
- Re: PHP security (or the lack thereof) Bojan Zdrnja (Jun 17)
  - Re: PHP security (or the lack thereof) Jessica Hope (Jun 21)
- Re: PHP security (or the lack thereof) Jose Nazario (Jun 17)
  - Re: PHP security (or the lack thereof) Geo. (Jun 19)
    - Re: PHP security (or the lack thereof) kicktd (Jun 21)
    - Re: PHP security (or the lack thereof) Geo. (Jun 21)
    - Re: PHP security (or the lack thereof) Crispin Cowan (Jun 22)
- Re: PHP security (or the lack thereof) Neil Neely (Jun 19)
- Re: PHP security (or the lack thereof) john mullee (Jun 23)
  - Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
    - Re: PHP security (or the lack thereof) Ronald Chmara (Jun 27)
    - Re: PHP security (or the lack thereof) Tonnerre Lombard (Jun 28)
    - Re: PHP security (or the lack thereof) Darren Reed (Jun 28)

(Thread continues...)