lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <EKECJMGPAACGOMIGLJJDMEGJHGAA.geoincidents@nls.net>
Date: Tue, 27 Jun 2006 07:41:29 -0400
From: "Geo." <geoincidents@....net>
To: <bugtraq@...urityfocus.com>
Subject: RE: PHP security (or the lack thereof)


> > Is php secure by default when it's installed on a server?
> >
>
> This question does not really have any meaning. If you ask, if php
> _applications_ are secure by default, the answer is of course "it
> depends" (most php applications are broken. Just do a
> "grep -R eval ." and see for yourself)
>
> The php safe_mode is not really safe. magic_quotes_gpc is broken by
> design. Where does that leave us? Write secure code, validate all input
> or get hacked, as is the case with every other software/language.

It's not a meaningless question, it's a quite valid way to look at web
server extensions. You make it sound oh so simple "write secure code" but
I've been a hacker since 1980 when I wrote a bbs program in assembler and
tried to secure it. Writing secure code is anything but simple. It takes a
really good programmer to write code that is secure by design because you
have to understand exactly how the language and in some cases the hardware
you use functions.

A language for websites should never expect to have this level programmers,
heck it's a bunch of artsy web developers who are going to be using it so it
should take that into account and allow the machine administrator to at
least be locked down at the start so he has to enable the features and only
those features the web developers require. It's the only way to make a
powerful web language and still maintain some semblance of security.

Geo.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ