| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Jun 2006 19:32:55 +0200 From: Matthias Kestenholz <lists@...nlock.ch> To: bugtraq@...urityfocus.com Subject: Re: PHP security (or the lack thereof) * Geo. (geoincidents@....net) wrote: > ... > > "The configuration flexibility of PHP is equally rivalled by the code > > flexibility. PHP can be used to build complete server applications, > > with all the power of a shell user, or it can be used for simple > > server-side includes with little risk in a tightly controlled > > environment. How you build that environment, and how secure it is, is > > largely up to the PHP developer." > > And is the default install wide open or tightly controlled? I mean from a > security standpoint we have been screaming for years at Microsoft to change > their defaults to firewall on and things locked instead of open. > > Is php secure by default when it's installed on a server? > This question does not really have any meaning. If you ask, if php _applications_ are secure by default, the answer is of course "it depends" (most php applications are broken. Just do a "grep -R eval ." and see for yourself) The php safe_mode is not really safe. magic_quotes_gpc is broken by design. Where does that leave us? Write secure code, validate all input or get hacked, as is the case with every other software/language.
Powered by blists - more mailing lists