[ale] Seven Deadly Sins

Jonathan Rickman jonathan at xcorps.net
Fri Jun 13 08:29:23 EDT 2003


On Thu, 12 Jun 2003, Christopher Bergeron wrote:

> Too late.  The PHP genie is out of the bottle.  It's FAST, it's EASY,
> and it's suprisingly powerful.  Not using it for web development because
> it "has had a recent history of ... security vulnerabilities" is roughly
> equivalent to asking people not to use apache, dns, or ssh (those
> packages have also recently been found to have serious security
> issues/bugs).  In fact, a more poignant arguement would be that we
> shouldn't use C as a programming language because it suffers from
> strcmp() (and many other) issues that don't check variables before
> passing them blindly into memory.  The language itself shouldn't be the
> target, the coded product should be.

Your logic here is sound, but the argument just doesn't stand up to real
world experience.


> admin), I think that the only real pseudo-advantage that the PHP
> alternatives have to offer is that they are obscure.  As we all know,
> security _can't_ be obtained through obscurity.  cgi, perl, et al; have
> not been adopted as thoroughly as PHP has (to date) for web programming;
> and as a direct result, I maintain that PHP is targeted more often.  A
> comparison of adoption-TO-critical-vulnerabilities, or
> market-saturation-TO-compromised-hosts, etc. would probably be a much
> more convincing arguement.

Perl obscure? Mmmmhhmmmmm...

Sure, there are plenty of poorly written Perl CGIs out there...but the
ratio of code to vulns is nowhere close to the ratio that PHP has.

This is far from real statistical evidence, but take it for what it's
worth.

Google for "PHP Vulnerability"
Returns over 1400 hits

s\PHP\Perl\g reduces it to 279

Sure, it's a shot in the dark, but there's obviously little comparison
between the two.

> Why post an IIS hacked site as an example in a PHP-dominant
> discussion/email-thread _after_ stating that you trust IIS _less_ than
> PHP?  Wouldn't an equivalent link of a PHP hacked site solidify your
> point more concretely?

PHP on the whole is insecure. That's just the way it is. By refusing Bob's
advice out of hand, you're no different than the guy with the cracked IIS
box. Trust me, at some point, someone in the know probably advised him
against using IIS and he adopted the same attitude that you have.



--
Jonathan Rickman
X Corps Security
http://www.xcorps.net

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list