lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 27 Jun 2006 01:19:40 -0000
From: nabiy@...mail.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: PHP security (or the lack thereof)


> You may be making some erroneous assumptions about who, or what, PHP 
> quantifies a "web developer"  as. As the manual notes, PHP scales, 
> security wide, from extremely rigid to extremely flexible, as needed. 
> It is simultaneously being used as a multi-million-users piece of core 
> software at sites such as Yahoo! and wikipedia, but it can also be used 
> as a mail form processor at "Joe's bait and tackle". I don't think 
> somebody who would ever consider the security section in the primary 
> online manual as a "footnote" as having enough experience to call 
> themselves a developer.

Highly skilled experienced developers are not designing the vulnerable software in question.  It is not the multi-million-user applications (such as yahoo or wikipedia) that we need to worry about.  We need to worry about the new developers who do not understand the implications of what they are coding. We need to worry about the fifteen-year-old kid who contributes to PHPBB and projects like it so he can learn how to code.  We also need to worry about the web developer who deploys these applications, unknowingly trusting the fifteen-year-old kid's software because he doesn’t have the experience or the time to develop a solution himself.  When talking about PHP and the high rate of vulnerabilities, these are the people we are talking about.

This is not just PHP.net's problem. This is a community problem. Experienced developers are writing tutorials without regard to security.  Here is a good example of what I am talking about from freewebmasterhelp.com (the third result returned by google - http://www.google.com/search?q=php+tutorial ):.

<?
$username="username";
$password="password";
$database="your_database";

$first=$_POST['first'];
$last=$_POST['last'];
$phone=$_POST['phone'];
$mobile=$_POST['mobile'];
$fax=$_POST['fax'];
$email=$_POST['email'];
$web=$_POST['web'];

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO contacts VALUES ('','$first','$last','$phone','$mobile','$fax','$email','$web')";
mysql_query($query);

mysql_close();
?>
I do not need to iterate through the security problems with the above script. We are showing new developers how to get input and insert data into mysql but we do not show them how or why they need to validate that input.  This is the reason for the high rate of vulnerabilities in PHP software. 

This problem is widespread, any tutorial you find likely contributes to this problem. Even PHP.net is guilty of this. In PHP.net’s tutorial you introduce a simple HTML form and print the data from that form by passing the data unfiltered back to the browser (http://www.php.net/manual/en/tutorial.forms.php ). It would be much better imho to teach security from the beginning and introduce the idea of filtering the data at that point.  

The problem is the way the community presents PHP. It will take a community effort to fix it. - nabiy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ