[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4709A06A.9030009@s0ftpj.org>
Date: Mon, 08 Oct 2007 05:13:46 +0200
From: "KJK::Hyperion" <hackbunny@...tpj.org>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: URI handling woes in Acrobat Reader, Netscape,
Miranda, Skype
Geo. ha scritto:
>>> 2) That said program can protect itself against overtly malicious input.
> Ok then, I can mark you down as one who believes that all the php exploits
> blamed on bad code writing are actually the fault of php and not the
> application coded using it's powerful functionality?
No no, mark *me*. PHP is the language...
... that didn't support prepared SQL statements until *revision 5*
... whose syntax can be changed arbitrarily by configuration
... whose applications can, by default, have their code arbitrarily
overwritten by environment variables and user input
... that doesn't have a "text string" data type, despite being expected
to output text by default
... whose "faux text string" type is counted and NUL-terminated at the
same time, inspiring the misguided belief that they can be safely passed
by pointer to external libraries written in C. Never mind the embedded
NULs, what about encoding issues?
... where the "0" string counts as "false"
... meant for web application development, but without any shape, form
or sort of security model, outside of global policies. Even Netscape's
server side Javascript had data tainting, god damn it
... that makes auditing impossible by allowing three or four different
semantics for any dangerous operation (file I/O, process creation...),
some of which overloads of generic functions
... without structured error handling
... without a library model
PHP promotes piecemeal development of shoddy throw-away applications
pretty much by design, and it does so proudly. No coincidence that it
was mated to MySQL, of all databases. They're like the Britney Spears
and K-Fed of web applications
I mean, have you ever seen an ASP, ASP.NET or Java EE application mangle
your single quotes and backslashes?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists