lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 26 Jun 2006 12:45:17 -0500
From: Paul Schmehl <pauls@...allas.edu>
Cc: bugtraq@...urityfocus.com
Subject: Re: PHP security (or the lack thereof)

Geo. wrote:
> ...
>>   "The configuration flexibility of PHP is equally rivalled by the code
>> flexibility. PHP can be used to build complete server applications,
>> with all the power of a shell user, or it can be used for simple
>> server-side includes with little risk in a tightly controlled
>> environment. How you build that environment, and how secure it is, is
>> largely up to the PHP developer."
> 
> And is the default install wide open or tightly controlled? I mean from a
> security standpoint we have been screaming for years at Microsoft to change
> their defaults to firewall on and things locked instead of open.
> 
> Is php secure by default when it's installed on a server?
> 
That's a rather odd question.  Microsoft has been (rightly) criticized 
for providing server *applications* that are insecurely configured (as 
you point out), but php is not an application.  Php is a language, so 
until a program or script is written and accessible from the server, it 
does nothing.  Php, by itself, is not accessible externally because it's 
not running a daemon that opens a port.

Register_globals is set to off by default, so I suppose in that sense 
you can say it's "secure" by default, but it's really a inert object 
until someone does something with it.

Any language can be misused to create insecure software.  The more 
powerful the language, the less difficult it is to create security holes 
(or perhaps the more obvious the holes really are.)  But until an 
attacker has an open port to attack (unless they're sitting at the 
console), everything on a server is "secure".  (Of course the server is 
also useless, but that's beside the point.)

-- 
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5007 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ