lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00fa01c69238$e17ce380$69fea8c0@honeypot>
Date: Sat, 17 Jun 2006 14:06:10 -0400
From: "Geo." <geoincidents@....net>
To: <bugtraq@...urityfocus.com>
Subject: Re: PHP security (or the lack thereof)



> this is an unfair comparison, i think, and you're not the first to make
> such an argument. PHP is a language, one that lends itself to insecure
> paradigms and practices. but, so does C and it's built in string handling
> functions, and that's a similar source of security bugs over the years.
> Perl, in the wrong CGI programming hands, has caused a similar quantity of
> issues.

I think when evaluating how dangerous something is to the internet you have
to look at how it's used and how much risk that creates.

For example, allowing users to upload and execute any C executable file to a
public web server can prove to be quite dangerous.

I think the same can be said for allowing PHP on a public web server, you
have just allowed anyone with a website to compromise the entire machine.

Do you not think stuff like this should be pointed out to the public so that
when selecting a web host they know that one who supports PHP may be putting
them at extreme risk compared to one who is a bit more security conscious?
As a threat to the internet in whole, don't you think these public php
enabled web servers pose an high risk?

Geo.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ