LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

PEAR XML_RPC remote code execution vulnerability

PEAR XML_RPC remote code execution vulnerability

Posted Jul 8, 2005 16:23 UTC (Fri) by mtk77 (guest, #6040)
Parent article: PEAR XML_RPC remote code execution vulnerability

I am not usually a PHP-basher, but after reading the advisory, I cannot resist expressing concern about the quality of code in the PEAR and the calibre of people contributing to it, and what that says about the language, environment and supporting community of PHP in general.

A few, erm, "enthusiasts" aside, PHP is used for front-end web apps. What these people seem not to have realised is that every dynamic web page is a network service.

To adapt an OpenBSD motto, any "eval" is a security hole unless proven otherwise. (I am also inclined to observe that its use in this module forms a concise PHP-specific version of Tom Christensen's csh rant.) You don't have to be thinking of security holes all the time to see why passing input you didn't build up yourself to a function which can do literally anything that can be done in code is a bad idea.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds