lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0411040819020.2629@catbert.rellim.com>
From: gem at rellim.com (Gary E. Miller)
Subject: How secure is PHP ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Ron!

On Thu, 4 Nov 2004, Ron DuFresne wrote:

> I'm not sure php is all that safe for public consumption as you sir.  A
> quick look at security focus, searching the vuln db for PHP, nothing more
> comes up with this history;

You neglected to include PHP Bug # or CERT identifiers so it is a bit
hard to work with your list. Looking at the Official PHP Bug list I am
having a hard time matching your list.  Oh, you just searched those
bozos at securityfocus.

Wow, 7 whole problems with PHP/Linux at SecurityFocus in 2004!  Wanna
compare that to IIS or Apache(123), Java (5) during the same time?
Funny thing searching SecurityFocus for IIS shows nothing for 2004?
Yeah right. :-) I never said PHP was perfect, all popular software has
had problems now and then.

None of these could affect an Apache server that did not already
execute PHP code.  Just having the PHP installed in the Apache was not
sufficient.  Several do not seem to me (or the PHP folks) to be real
bugs.  Only one affected a LAMP system that is validateing all user input
before using it and that was promptly fixed.

None of these came close to affecting any PHP I have written or maintain.

I'll take those odds any day, and of course will keep my systems fully
patched.  Since 50% of all Apache servers have PHP installed my opinion
is pretty common.

>      2004-10-28:    PHP cURL Open_Basedir Restriction Bypass Vulnerability

Non-standard extension based on C library. Bug #30610 marked as BOGUS.
Since when is allowing the PROGRAMMER to access the local file system a
problem?  The PROGRAMMER is always supposed to validate user supplied
input.

>      2004-10-25:    PHP Remote Arbitrary Location File Upload Vulnerability

PHP Bug #28456.  I do not agree this is a bug.  PHP was just exporting
the functionality of the standard C file i/o.  If a program fails to
validate the input it feeds to file system functions it is programmer
error.  The fact a file system function can do full pathing/globbing is
a feature not a bug.

>      2004-10-25:    PHP PHP_Variables Remote Memory Disclosure Vulnerability

Only applies if the programmer formats user supplied data without
first validateing it.  C printf has the same problem noone calls that
a bug.

>      2004-10-16:    PHP memory_limit Remote Code Execution Vulnerability

The one REAL problem here.

Bug # 29241, was promptly fixed and depending on the programmer using
specific code to be exploited.  Closely related to a similar bug in Apache.

>      2004-09-15:    PHP Strip_Tags() Function Bypass Vulnerability

Never used it.  Trying to allow users to allow SOME html tags to be
uploaded is just asking for problems.  Man page ALWAYS warned about it's
limitations.  Only a problem if recommended safe PHP.INI config is not used
and programmer failed to validate input.

>      2004-06-07:    PHP Microsoft Windows Shell Escape Functions
>                     Command Execution Vulnerability

M$, blah, you deserve to be hacked.

>      2004-05-27:    PHP Input/Ouput Wrapper Remote Include Function
>                     Command Execution Weakness

PHP Bug #28456.  I do not agree this is a bug.  If a program fails to
validate the input it feeds to file system functions it is programmer error.
The fact a file system function can do full pathing/globbing is a feature
not a bug.

>      2004-03-24:    PHP openlog() Buffer Overflow Vulnerability

No PHP Bug #.

If the programmer logs unvalidated user supplied input there can be a
problem.  If code does this it is stupid anyway.  Similar problem in C.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
	gem@...lim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBim/28KZibdeR3qURAjqZAJ9I+phbXgMG2G9JhLt6hk7Jbp3jywCfbowO
owGWx/gzcsZx3V7h2sBhajY=
=E6Qq
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ