PEAR XML_RPC remote code execution vulnerability
Posted Jul 8, 2005 16:23 UTC (Fri) by mtk77
Parent article: PEAR XML_RPC remote code execution vulnerability
I am not usually a PHP-basher, but after reading the advisory, I cannot resist expressing concern about the quality of code in the PEAR and the calibre of people contributing to it, and what that says about the language, environment and supporting community of PHP in general.
A few, erm, "enthusiasts" aside, PHP is used for front-end web apps. What these people seem not to have realised is that every dynamic web page is a network service.
To adapt an OpenBSD motto, any "eval" is a security hole unless proven otherwise. (I am also inclined to observe that its use in this module forms a concise PHP-specific version of Tom Christensen's csh rant.) You don't have to be thinking of security holes all the time to see why passing input you didn't build up yourself to a function which can do literally anything that can be done in code is a bad idea.
to post comments)