| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <17b0fcab0602241307n5b2e9a41s@mail.gmail.com> Date: Sat, 25 Feb 2006 10:07:52 +1300 From: "Jamie Riden" <jamie.riden@...il.com> To: "Kevin Waterson" <kevin@...ania.net> Cc: bugtraq@...urityfocus.com Subject: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] On 22/02/06, Kevin Waterson <kevin@...ania.net> wrote: > This one time, at band camp, Gadi Evron <ge@...uxbox.org> wrote: > > > 3. Staying on top of new PHP vulnerabilities has become impossible, > > popping around everywhere. > > What vulnerabilities in PHP? > Are implying the fault is within the language itself? I think Gadi meant vulnerabilities in PHP applications; though the language doesn't make it particularly easy to write secure code. > This is akin to saying C has vulnerabilites because some script kiddie > wrote a poor application. Like this ? "We can give you advice on how to write good cryptographic code. Avoid any programming language that allows buffer overflows. Specifically: don't use C or C++" -- Practical Cryptography, Schneier and Ferguson, (p149 in my copy). It's a point of view that has something to be said for it. You *can* write secure code in C and PHP, but it takes a lot of care and most programmers don't take that care. I've been told privately that one penetration tester could gain system privileges on the majority of webservers he checked; that used to surprise me, but doesn't any longer. I don't whether that's a 'vulnerability', 'disadvantage' or 'feature' of PHP and other scripting languages. cheers, Jamie -- Jamie Riden / jamesr@...ope.com / jamie.riden@...il.com
Powered by blists - more mailing lists