| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Jun 2006 07:53:44 -0400 From: "Geo." <geoincidents@....net> To: <bugtraq@...urityfocus.com> Subject: RE: PHP security (or the lack thereof) > That's a rather odd question. Microsoft has been (rightly) criticized > for providing server *applications* that are insecurely configured (as > you point out), but php is not an application. Php is a language, so > until a program or script is written and accessible from the server, it > does nothing. Php, by itself, is not accessible externally because it's > not running a daemon that opens a port. I don't agree. There are lots of web programs written in perl, asp, even cold fusion. But when I watch the security lists I see exploit after exploit for web applications and the vast majority of them have one thing in common, they are written in PHP. I'm not blaming PHP but you can't just ignore that and say it's meaningless, it's an obvious pattern and it points to a problem with either the language or the way it's configured or used. Whatever the reason, if we are going to have a secure internet environment then people need to be aware of the problem and solutions. All that I've been suggesting is that SANS points out this danger, make people aware that PHP based applications are being exploited at these levels and focus attention on the problem. Perhaps a table of popular PHP based applications and a count column of the number of exploits each has had to patch so folks can make an informed decision when looking for php based web apps. Geo.
Powered by blists - more mailing lists