Firefox marketing site hacked (News.com) [LWN.net]

Another PHP vulnerability?

Posted Jul 15, 2005 17:04 UTC (Fri) by dizzl (guest, #5521) [Link]

Just like so many people have moved away from Windows...

Another PHP vulnerability?

Posted Jul 15, 2005 17:17 UTC (Fri) by uravanbob (subscriber, #4050) [Link]

And replace it with which secure bug free programming environment? Besides, singling out PHP for any given flaw in the environment is akin to singling out the kernel or gcc for what is probably a library or application flaw - beware wide brushes.

This is almost certainly an exploit of the recently discovered and fixed XML_RPC library bug that hadn't yet been updated on this site because the SAs were busy with something else.

Fix the problem (shoot the hackers -- did I say that? I meant teach some social responsibility) in the various tools, patching mechanisms, programming skills, validation testing....

BTW, I use Python, Java, Javascript, C, and PHP for various web services applications - none of them are perfect, they are all useful.

Another PHP vulnerability?

Posted Jul 15, 2005 17:32 UTC (Fri) by ajross (subscriber, #4563) [Link]

To be fair, I'm no PHP expert. Nonetheless, it seems to me that that
other comparable languages (Perl, Python, Ruby) have not, in fact,
been the subject of the number (or severity) of security flaws that
have been exhibited by PHP over the past few years.

While it's certainly true that there are no silver bullets for
security, it is not a corrolary that all software is equally secure.
In particular, some packages (like sendmail and wuftpd, which I
mentioned earlier) have had a history of such common and severe
security flaws that they have largely been dropped by the community in
favor of other implementations.

Basically, I was wondering aloud whether this point has been reached
by PHP. Feel free to prove me wrong, but also be open minded to the
other, potentially more secure options available.

Another PHP vulnerability?

Posted Jul 15, 2005 17:41 UTC (Fri) by MenTaLguY (guest, #21879) [Link]

Part of the problem is not technical differences, but simply that PHP culture doesn't appear to be very security-conscious compared to many other language cultures. So PHP is simply higher-risk as a result.

Another PHP vulnerability?

Posted Jul 15, 2005 17:48 UTC (Fri) by jwb (guest, #15467) [Link]

Yeah no kidding. For, oh, a decade there was no safe way to construct a SQL query in PHP. You could only build the query by concatenating strings and escaping special characters in tainted information. But this only works to a point, and isn't as secure as bound variables.

Also the way a URI query parameter overrides the PHP namespace is horrible.

Possibly, when PHP 5.1 is released, mysql and postgresql users will get bound parameters via the PDO. Maybe. When available. But not for other databases.

Note that I'm not even claiming that SQL injection is the main problem in PHP. The complete lack of scoping rules is the main problem.

Another PHP vulnerability?

Posted Aug 8, 2005 21:36 UTC (Mon) by barrygould (guest, #4774) [Link]

Also the way a URI query parameter overrides the PHP namespace is horrible.

IIRC, this was fixed in PHP 4.1 (it is now a .ini file option, default is off).

Barry

Another PHP vulnerability?

Posted Jul 15, 2005 18:55 UTC (Fri) by arcticwolf (guest, #8341) [Link]

Lots of bad things can and have been said about sendmail's security record, true, but it's still the most widely-used MTA by far, and even security-conscious projects like OpenBSD do include sendmail as the default MTA.

Just food for thought.

Another PHP vulnerability?

Posted Jul 15, 2005 19:28 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

sendmail also went through a ground-up rewrite (version 8 IIRC) and has been pretty good since that point. it's a far cry from the bad old days of sendmail

Another PHP vulnerability?

Posted Jul 16, 2005 1:15 UTC (Sat) by dberkholz (subscriber, #23346) [Link]

To be fair, I'm no PHP expert. Nonetheless, it seems to me that that other comparable languages (Perl, Python, Ruby) have not, in fact, been the subject of the number (or severity) of security flaws that have been exhibited by PHP over the past few years.

Do you think that could be because of the relative popularity of various languages?

Another PHP vulnerability?

Posted Jul 17, 2005 4:18 UTC (Sun) by vonbrand (subscriber, #4458) [Link]

To be fair, I'm no PHP expert. Nonetheless, it seems to me that that other comparable languages (Perl, Python, Ruby) have not, in fact, been the subject of the number (or severity) of security flaws that have been exhibited by PHP over the past few years.

I'm sure most of the exposure PHP security has gotten is just due to the fact that it is used on webservers, where it (by definition) is easily reachable, and security problems are rewarding to exploit. If webpages were instead written in FORTRAN, we'd be hearing about security vulnerabilities in that venerable dinosaur instead.

Another PHP vulnerability?

Posted Jul 19, 2005 10:19 UTC (Tue) by job (subscriber, #670) [Link]

Getting dangerously close to that old Windows vs. Linux argument now, aren't we? If you had tried other web development languages than PHP you would know for example how much more difficult it would be to exploit something with Perl in tainted mode than it is under PHP.

And all the criticism above about missing scopes and proper database routines are valid. PHP is in essence a clone of Perl 4 intermixed in HTML. A lot has happened with Perl since then. You might want to look at what Mason or Maypole does now. Ruby on Rails seems to be very hot right now, I don't really like it but it is light years ahead of PHP architecturally.

No, there is no need to stick with PHP. Just leave it with sendmail 6 and bind 8 in the binary dustbin.