| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 17 Jun 2006 14:06:10 -0400 From: "Geo." <geoincidents@....net> To: <bugtraq@...urityfocus.com> Subject: Re: PHP security (or the lack thereof) > this is an unfair comparison, i think, and you're not the first to make > such an argument. PHP is a language, one that lends itself to insecure > paradigms and practices. but, so does C and it's built in string handling > functions, and that's a similar source of security bugs over the years. > Perl, in the wrong CGI programming hands, has caused a similar quantity of > issues. I think when evaluating how dangerous something is to the internet you have to look at how it's used and how much risk that creates. For example, allowing users to upload and execute any C executable file to a public web server can prove to be quite dangerous. I think the same can be said for allowing PHP on a public web server, you have just allowed anyone with a website to compromise the entire machine. Do you not think stuff like this should be pointed out to the public so that when selecting a web host they know that one who supports PHP may be putting them at extreme risk compared to one who is a bit more security conscious? As a threat to the internet in whole, don't you think these public php enabled web servers pose an high risk? Geo.
Powered by blists - more mailing lists