lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200606162325.k5GNPMEd004841@faron.mitre.org>
Date: Fri, 16 Jun 2006 19:25:22 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: PHP security (or the lack thereof)



Darren Reed said:

>  From my own mail archives, PHP appears to make up at least 4% of the
>  email to bugtraq I see - or over 1000 issues since 1995, out of the
>  25,000 I have saved.

Do you mean the PHP interpreter?  Or applications written in PHP?

I'm not sure how many vulnerabilities were in the PHP interpreter
itself, but it looks like it's about 150 or so.

Applications that are WRITTEN in PHP, however, probably cover 20% or
more of all reported vulns this year.  This is just a hunch - I don't
have any way of proving this.  Most PHP apps don't have "php" in their
name, and I don't know of a vulnerability database that records which
programming language was used for an application.  But the rest of
your email matches on "php" were probably PHP applications.

>People complain about applications like sendmail...in the same period,
>it has been resopnsible for less than 200.

It's more appropriate to compare the PHP language to the C language,
or to compare Sendmail to various high-profile PHP applications.

>Do we have a new contender for worst security offender ever written

Over the years, the PHP language has made it very easy for
inexperienced application programmers to shoot themselves in the foot,
and it has features that even experienced programmers might not know
to defend against.  Sounds kinda like C, doesn't it?

One thing with PHP though, you don't need much training before you can
put together a usable program.  Powerful features plus lots of
non-expert programmers equals a lot of vulnerabilities, regardless of
the language.  PHP is slowly removing the most dangerous features, or
at least not enabling them by default.

I suspect that a large percentage of vulnerabilities could be fixed
with programming languages with built-in security considerations, and
an API that makes it easy or transparent to do safer programming.

- Steve

=======================================================================

Disclaimer: this document was publicly posted to foster timely
technical exchange.  It may contain errors or omissions.  The views
and opinions being expressed are those of Steve Christey and do not
necessarily reflect the views of The MITRE Corporation.  Members of
the press are requested to contact me directly before quoting any
statements in this document.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ