| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c8bcda7ee680e88e0967594fe76a0646@opus1.com> Date: Fri, 23 Jun 2006 22:07:50 -0700 From: Ronald Chmara <ron@...s1.COM> To: nabiy@...mail.com Cc: bugtraq@...urityfocus.com Subject: Re: PHP security (or the lack thereof) On Jun 21, 2006, at 4:52 PM, nabiy@...mail.com wrote: > Trying to make the language 'safe' won't fix it because the language > is not the problem. The real problem is the way PHP is presented to > most new developers. > PHP has been introduced as a tool for the web developer. As a language > its goal is "to allow web developers to write dynamically generated > pages quickly." ( http://www.php.net/manual/en/faq.general.php ). Did you read Section IV of that same manual? I remember it quite well, having wrote some portions of it. " PHP is a powerful language and the interpreter, whether included in a web server as a module or executed as a separate CGI binary, is able to access files, execute commands and open network connections on the server. These properties make anything run on a web server insecure by default." ... "The configuration flexibility of PHP is equally rivalled by the code flexibility. PHP can be used to build complete server applications, with all the power of a shell user, or it can be used for simple server-side includes with little risk in a tightly controlled environment. How you build that environment, and how secure it is, is largely up to the PHP developer." From: <http://www.php.net/manual/en/security.intro.php> > The focus then is to enable the web developer by giving him the tools > he needs to create dynamic content, with as little hassle as possible. > The web developer need only read a short tutorial ( > http://www.php.net/manual/en/tutorial.php ) and he is ready to read, > understand and implement the ideas presented in the various example > scripts on PHP.net. Unfortunately this situation leaves the web > developer uninformed and unprepared to face the hostile environment > that is the net. You may be making some erroneous assumptions about who, or what, PHP quantifies a "web developer" as. As the manual notes, PHP scales, security wide, from extremely rigid to extremely flexible, as needed. It is simultaneously being used as a multi-million-users piece of core software at sites such as Yahoo! and wikipedia, but it can also be used as a mail form processor at "Joe's bait and tackle". I don't think somebody who would ever consider the security section in the primary online manual as a "footnote" as having enough experience to call themselves a developer. > the only real solution is to change the way the language is presented > to new developers. It must be presented in a manner that increases the > awareness of the developer so that he able to deploy his application > in a safe manner. This means that security needs to be taught from the > beginning rather than as a footnote, especially on sites where > authoritative teaching is given ( such as PHP.net ). - nabiy If somebody doesn't know that security considerations are a core part of writing *any* software, they probably aren't that experienced of a developer yet. However, it might be a Very Good Idea(TM) to make a mini-security subsection in the tutorial/"Getting Started" section, for readers who skip over section IV. FWIW, The manual is arranged as follows: ----- Preface I. Getting Started II. Installation and Configuration III. Language Reference IV. Security V. Features VI. Function Reference VII. PHP and Zend Engine Internals VIII. FAQ: Frequently Asked Questions IX. Appendixes ---- Note that Security is introduced just after the context of "how the language works"/"Language Reference" (so users can understand the security issues) and before "What the Language can do"/"Features". -Ronabop -- 4245 NE Alberta Ct. Portland, OR 97218 503-282-1370
Powered by blists - more mailing lists