lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 08 Oct 2007 05:13:46 +0200
From: "KJK::Hyperion" <hackbunny@...tpj.org>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: URI handling woes in Acrobat Reader, Netscape,
 Miranda, Skype

Geo. ha scritto:
>>> 2) That said program can protect itself against overtly malicious input.
> Ok then, I can mark you down as one who believes that all the php exploits 
> blamed on bad code writing are actually the fault of php and not the 
> application coded using it's powerful functionality?

No no, mark *me*. PHP is the language...
... that didn't support prepared SQL statements until *revision 5*
... whose syntax can be changed arbitrarily by configuration
... whose applications can, by default, have their code arbitrarily
overwritten by environment variables and user input
... that doesn't have a "text string" data type, despite being expected
to output text by default
... whose "faux text string" type is counted and NUL-terminated at the
same time, inspiring the misguided belief that they can be safely passed
by pointer to external libraries written in C. Never mind the embedded
NULs, what about encoding issues?
... where the "0" string counts as "false"
... meant for web application development, but without any shape, form
or sort of security model, outside of global policies. Even Netscape's
server side Javascript had data tainting, god damn it
... that makes auditing impossible by allowing three or four different
semantics for any dangerous operation (file I/O, process creation...),
some of which overloads of generic functions
... without structured error handling
... without a library model

PHP promotes piecemeal development of shoddy throw-away applications
pretty much by design, and it does so proudly. No coincidence that it
was mated to MySQL, of all databases. They're like the Britney Spears
and K-Fed of web applications

I mean, have you ever seen an ASP, ASP.NET or Java EE application mangle
your single quotes and backslashes?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ