lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 07 Jul 2006 20:48:20 -0600
From: Gezim Hoxha <gezimetc@...w.ca>
To: "Geo." <geoincidents@....net>
Cc: bugtraq@...urityfocus.com
Subject: Securing PHP or finding PHP alternatives (was: PHP security (or	the
 lack thereof))


On Tue, 2006-27-06 at 07:41 -0400, Geo. wrote:
> > > Is php secure by default when it's installed on a server?
> > >
> >
> > This question does not really have any meaning. If you ask, if php
> > _applications_ are secure by default, the answer is of course "it
> > depends" (most php applications are broken. Just do a
> > "grep -R eval ." and see for yourself)
> >
> > The php safe_mode is not really safe. magic_quotes_gpc is broken by
> > design. Where does that leave us? Write secure code, validate all input
> > or get hacked, as is the case with every other software/language.
> 
> It's not a meaningless question, it's a quite valid way to look at web
> server extensions. You make it sound oh so simple "write secure code" but
> I've been a hacker since 1980 when I wrote a bbs program in assembler and
> tried to secure it. Writing secure code is anything but simple. It takes a
> really good programmer to write code that is secure by design because you
> have to understand exactly how the language and in some cases the hardware
> you use functions.
> 
> A language for websites should never expect to have this level programmers,
> heck it's a bunch of artsy web developers who are going to be using it so it
> should take that into account and allow the machine administrator to at
> least be locked down at the start so he has to enable the features and only
> those features the web developers require. It's the only way to make a
> powerful web language and still maintain some semblance of security.

With all that's been said in this thread, and all that has been observed
(i.e. a large number of PHP vulnerabilities--please don't try and defend
this; the common thing that everyone agrees on is that PHP tries to
cater to all users (not necessarily programmers, which can make it
insecure), I'm going to ask two questions:

1.) If I have to write PHP, how do I write secure PHP? Give me a number
of ensures that I can follow and check-mark each and live a happy
life--for the most part.

2.) From a security standpoint what is a better, open-source replacement
to PHP?


Thanks,
-Gezim

P.S.: This is my first bugtraq message, so take it easy on me :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ