[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00fa01c69238$e17ce380$69fea8c0@honeypot>
Date: Sat, 17 Jun 2006 14:06:10 -0400
From: "Geo." <geoincidents@....net>
To: <bugtraq@...urityfocus.com>
Subject: Re: PHP security (or the lack thereof)
> this is an unfair comparison, i think, and you're not the first to make
> such an argument. PHP is a language, one that lends itself to insecure
> paradigms and practices. but, so does C and it's built in string handling
> functions, and that's a similar source of security bugs over the years.
> Perl, in the wrong CGI programming hands, has caused a similar quantity of
> issues.
I think when evaluating how dangerous something is to the internet you have
to look at how it's used and how much risk that creates.
For example, allowing users to upload and execute any C executable file to a
public web server can prove to be quite dangerous.
I think the same can be said for allowing PHP on a public web server, you
have just allowed anyone with a website to compromise the entire machine.
Do you not think stuff like this should be pointed out to the public so that
when selecting a web host they know that one who supports PHP may be putting
them at extreme risk compared to one who is a bit more security conscious?
As a threat to the internet in whole, don't you think these public php
enabled web servers pose an high risk?
Geo.
Powered by blists - more mailing lists