lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 16 Jun 2006 21:50:37 -0400 (EDT)
From: Jose Nazario <jose@...key.org>
To: Darren Reed <avalon@...igula.anu.edu.au>
Cc: bugtraq@...urityfocus.com
Subject: Re: PHP security (or the lack thereof)


On Fri, 16 Jun 2006, Darren Reed wrote:

> From my own mail archives, PHP appears to make up at least 4% of the 
> email to bugtraq I see - or over 1000 issues since 1995, out of the 
> 25,000 I have saved.

> People complain about applications like sendmail...in the same period, 
> it has been resopnsible for less than 200.

this is an unfair comparison, i think, and you're not the first to make 
such an argument. PHP is a language, one that lends itself to insecure 
paradigms and practices. but, so does C and it's built in string handling 
functions, and that's a similar source of security bugs over the years. 
Perl, in the wrong CGI programming hands, has caused a similar quantity of 
issues.

how many of those issues you are referring to are core PHP issues? looking 
through the stats provided by secunia for PHP 4 - PHP 5 i count up :

 	version			advisories listed by secunia
 	-------			----------------------------
 	PHP 5.1.x		7
 	http://secunia.com/product/6796/

 	PHP 5.0.x		13
 	http://secunia.com/product/3919/

 	PHP 4.4.x		9
 	http://secunia.com/product/5768/

 	PHP 4.3.x		20
 	http://secunia.com/product/922/

 	PHP 4.0.x		7
 	http://secunia.com/product/1655/

so that's a total of 56 PHP core issues from PHP 4.0 onwards. unless PHP 
3.x and prior had over 944 such advisories in that time period (1995 til 
present, your timeframe), i suspect you just did something akin to:

 	grep -i ^subject:.*php .*$ bugtraq.mbox

and looked at the results. hardly reflective of core PHP issues, given the 
wide number of PHP applications that have had bugtraq posts written about 
them.

my point is simple: if you're going to pick on something, compare apples 
to apples and not and oranges. if you pick on this huge flood of PHP apps 
that have had security holes, then pick on C for a similar numbers of bugs 
over the years. pick on Perl and the number of poorly written CGI scripts 
that have had security bulletins over the years. i'm sure a few more 
languages could easily be added to that list.

bear in mind i'm no PHP (or Perl, or C) bigot. but really, if you're going 
to complain about PHP, at least make your argument on reasonable grounds.

________
jose nazario, ph.d.		    jose@...key.org
http://monkey.org/~jose/ 	    http://monkey.org/~jose/secnews.html
 				    http://www.wormblog.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ