[nycbug-talk] Searching for suspect PHP files...
Miles Nordin
carton at Ivy.NET
Tue Mar 3 17:15:44 EST 2009
>>>>> "hz" == Hans Zaunere <lists at zaunere.com> writes:
>>>>> "mg" == Max Gribov <max at neuropunks.org> writes:
>>>>> "ak" == Andy Kosela <akosela at andykosela.com> writes:
hz> Is C flawed because someone doesn't know how to check/prevent
hz> buffer overflows?
emphatically, YES.
Now don't get contrary on me, Hans. Let's burn a few of these
strawmans before the thread gets hot.
Claiming something is ``flawed'' is not the same as claiming ``there
is never a case to use it, ever.'' (disagree)
However, saying ``there is a case to use it'' (agree) is not the same
as saying
``they all have their strengths and weaknesses so it's a matter of
choosing the right tool for the job, or of personal preference with no
overall judgement possible.'' (disagree)
hz> Is Unix flawed because root let's you wipe out the hard disk?
That is not a security flaw.
mg> i bet you can find just as many vulnerable web apps written in
mg> other languages,
National Vulnerability Database, 2008-09-20,
notPHP:
9 records for Plone
PHP:
145 Drupal,
259 Joomla!,
149 WordPress
source: http://en.wikipedia.org/wiki/Plone_(software)
:p
I suspect you'll find the same in any other arena where PHP and
non-PHP software are in competition.
ak> PHP is flawed by design, and not asking "how to write
ak> secure code".
agree
I am more interested in how to design environments where writing
secure software is effortless. mysql_real_escape_string is just the
very tip of a huge ``not effortless'' iceberg that explodes underwater
into lack of type safety, no uniform installation environment, a
proliferation of archaic and arcane config knobs that forcibly bleed
across applications, version skew nightmares, bleeding global state,
runtime parsing, and shell-script-type languages based on ``quoting''
and ``substitution'' in general---every time I see & bleeding into
the rendered text on Facebook or \' rendering onto my screen in this
shopping cart software, or website logins that won't take punctuation
in passwords, I think PHP, you doomed piece of shit, you.
I do not love you. I will NEVER love you. Even if you were clean I
would not love you.
ak> It is so easy to exploit PHP bugs, that even Visual BASIC
ak> "idiots" can do it.
aye, maybe so, but I didn't originally mean to call the exploiters
idiots. I meant, are the PHP webapps habitually insecure because PHP
is the low-entry-barrier language for people who spend no effort
understanding the various merits to which a programming language can
aspire, so all the worst programmers collect there, and these guys
could not write a secure webapp in any language? and my current
answer is, I don't think so, I think the problem is mostly PHP and
that the same idiots would do much better work on another language.
ak> Miles remarked wisely that
ak> this trend has been going for years.
yeah, and the full size and shape of the so-called ``web security''
trend may be new, like FX was pointing out lurking problems with Java
webapps that like to ``serialize'' things, because you can feed a
bitstream to the web server and have it explode into some arbitrarily
complicated Object inside the web server J2EE VM. And you pointed out
problems with super-convenient AJAX environments that encourage
developers to forget the client VM is not trustworthy. new!
But ``PHP is a pathologically-insecure piece of shit with such a
mountain of documented incidents it's hardly worth discussing the
`why' of the matter, just run, run away, from this awful Situation''
is certainly not new.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20090303/1f2f8824/attachment.bin>
More information about the talk
mailing list