Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
From: Jamie Riden (jamie.ridengmail.com)
Date: Fri Feb 24 2006 - 15:07:52 CST
On 22/02/06, Kevin Waterson <kevinoceania.net> wrote:
> This one time, at band camp, Gadi Evron <gelinuxbox.org> wrote:
> > 3. Staying on top of new PHP vulnerabilities has become impossible,
> > popping around everywhere.
> What vulnerabilities in PHP?
> Are implying the fault is within the language itself?
I think Gadi meant vulnerabilities in PHP applications; though the
language doesn't make it particularly easy to write secure code.
> This is akin to saying C has vulnerabilites because some script kiddie
> wrote a poor application.
Like this ?
"We can give you advice on how to write good cryptographic code. Avoid
any programming language that allows buffer overflows. Specifically:
don't use C or C++" -- Practical Cryptography, Schneier and Ferguson,
(p149 in my copy).
It's a point of view that has something to be said for it. You *can*
write secure code in C and PHP, but it takes a lot of care and most
programmers don't take that care. I've been told privately that one
penetration tester could gain system privileges on the majority of
webservers he checked; that used to surprise me, but doesn't any
longer. I don't whether that's a 'vulnerability', 'disadvantage' or
'feature' of PHP and other scripting languages.
Jamie Riden / jamesreurope.com / jamie.ridengmail.com