Bugtraq mailing list archives
Re: PHP security (or the lack thereof)
From: "Geo." <geoincidents () nls net>
Date: Sat, 17 Jun 2006 14:06:10 -0400
this is an unfair comparison, i think, and you're not the first to make such an argument. PHP is a language, one that lends itself to insecure paradigms and practices. but, so does C and it's built in string handling functions, and that's a similar source of security bugs over the years. Perl, in the wrong CGI programming hands, has caused a similar quantity of issues.
I think when evaluating how dangerous something is to the internet you have to look at how it's used and how much risk that creates. For example, allowing users to upload and execute any C executable file to a public web server can prove to be quite dangerous. I think the same can be said for allowing PHP on a public web server, you have just allowed anyone with a website to compromise the entire machine. Do you not think stuff like this should be pointed out to the public so that when selecting a web host they know that one who supports PHP may be putting them at extreme risk compared to one who is a bit more security conscious? As a threat to the internet in whole, don't you think these public php enabled web servers pose an high risk? Geo.
Current thread:
- PHP security (or the lack thereof) Darren Reed (Jun 16)
- Re: PHP security (or the lack thereof) Bojan Zdrnja (Jun 17)
- Re: PHP security (or the lack thereof) Jessica Hope (Jun 21)
- Re: PHP security (or the lack thereof) Jose Nazario (Jun 17)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) kicktd (Jun 21)
- Re: PHP security (or the lack thereof) Geo. (Jun 21)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 22)
- Re: PHP security (or the lack thereof) Geo. (Jun 19)
- Re: PHP security (or the lack thereof) Bojan Zdrnja (Jun 17)
- Re: PHP security (or the lack thereof) Neil Neely (Jun 19)
- Re: PHP security (or the lack thereof) john mullee (Jun 23)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 27)
- Re: PHP security (or the lack thereof) Tonnerre Lombard (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- <Possible follow-ups>
- Re: PHP security (or the lack thereof) Steven M. Christey (Jun 17)