Bugtraq mailing list archives

Re: PHP security (or the lack thereof)

From: Darren Reed <avalon () caligula anu edu au>
Date: Tue, 27 Jun 2006 20:27:59 +1000 (Australia/ACT)

In some mail from Tonnerre Lombard, sie said:

Salut,

On Sun, 2006-06-25 at 08:42 +1000, Darren Reed wrote:

There have barely a *handful* of JRE/JVM security problems.


I know for the fact that there are quite some though. Also, what should
one think about a company that didn't manage to fix a simple path
traversal vulnerability in their jar(1) utility in almost a year? The
same goes for the serialization DoS.


Depends on who you are and how much noise you make about the problem
and whether or not it is a problem or....details.

I really like Sun Fire servers, but I can't agree that Java is the
bug-free issue-free big white horse. Especially not if you need a couple
of hundreds of megabytes of RAM just to run java -version...

As to useable Java applications: there are such nice things like Tomcat,
the Java web server. The funniest thing about it is that it starts up so
unbelievably slowly, and while everyone tells you that the JIT business
is going to optimize the slowness away in just a day or two, it needs a
restart every 20 hours or it will stop responding. Maybe this is the
-fomit-instructions optimization the Gentoo people are so fond of?

The same goes for my java.core collection. I keep it right next to my
bash.core and cc1.core files.

So, by "free of issues", are you talking about a Java implementation
from a parallel universe?


I've seen enterprise class applications written and run for extended
periods of time (days), dealing with huge amounts of data, that have
not suffered from slowness, much to the chagrin of Sun sales people
who realise they can't sell an E25K to run it.

So I don't accept that all Java programs are either slow or need to
consume 100s of megabytes of RAM for no reason.  A poorly written
one may, yes.  Maybe it is just easier to write applications (such
as Tomcat) that perform badly than it is to write good ones, in the
same way it is easy to write insecure PHP.

Darren

Current thread:

Re: PHP security (or the lack thereof), (continued)
- Re: PHP security (or the lack thereof) Jose Nazario (Jun 17)
  - Re: PHP security (or the lack thereof) Geo. (Jun 19)
    - Re: PHP security (or the lack thereof) kicktd (Jun 21)
    - Re: PHP security (or the lack thereof) Geo. (Jun 21)
    - Re: PHP security (or the lack thereof) Crispin Cowan (Jun 22)
- Re: PHP security (or the lack thereof) Neil Neely (Jun 19)
- Re: PHP security (or the lack thereof) john mullee (Jun 23)
  - Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
    - Re: PHP security (or the lack thereof) Ronald Chmara (Jun 27)
    - Re: PHP security (or the lack thereof) Tonnerre Lombard (Jun 28)
    - Re: PHP security (or the lack thereof) Darren Reed (Jun 28)
- Re: PHP security (or the lack thereof) Steven M. Christey (Jun 17)
- Re: PHP security (or the lack thereof) Alan J Rosenthal (Jun 21)
  - Re: PHP security (or the lack thereof) Geo. (Jun 23)
- Re: Re: PHP security (or the lack thereof) nabiy (Jun 23)
  - Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
    - Re: PHP security (or the lack thereof) Daniel Hulme (Jun 26)
    - Re: PHP security (or the lack thereof) Tobias J. Kreidl (Jun 26)
    - Re: PHP security (or the lack thereof) Glynn Clements (Jun 27)
  - Re: PHP security (or the lack thereof) Ronald Chmara (Jun 26)
    - RE: PHP security (or the lack thereof) Geo. (Jun 26)

(Thread continues...)