[ale] Well, this does nothing for the reputation of Linux

David Tomaschik david at systemoverlord.com
Sun Jul 21 20:33:22 EDT 2013


I'm not a security "expert" per se, but I do a little security work
here and there.  ;)

I don't personally think PHP is as bad as the way some people treat
it, but it has had more than it's share of security vulnerabilities.
Let's turn to CVE details for PHP and compare it to ASP.net and
Python:

PHP[1]: 343 vulnerabilities, including 91 with code execution, 60 access bypass
Python[2]: 15 vulnerabilities, none of which grant code execution or
access bypass
ASP.net[3]: 10 vulnerabilities, none of which grant code execution or
access bypass

Now, all that being said, the languages are just the tip of the
iceberg.  I believe that PHP encourages bad security practices.  The
original 'mysql' library (not mysqli) not only encouraged sticking
parameters in the query without escaping, but didn't even support
proper parameterized queries.  So, of course SQLi has been hitting PHP
apps forever.  PHP also really encourages mixing your code and your
presentation, (inline PHP) so most people don't use a template engine
that sanitizes data for them, but in fact just output whatever happens
to be in a variable.  Even if that's attacker-controlled, exactly what
you don't want if you're trying to protect against XSS.

I don't think using PHP is the end of the world, but I do think it
gives you plenty of opportunities to shoot yourself in the foot.


[1] http://www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74
[2] http://www.cvedetails.com/product/18230/Python-Python.html?vendor_id=10210
[3] http://www.cvedetails.com/product/3091/Microsoft-Asp.net.html?vendor_id=26

On Sun, Jul 21, 2013 at 3:03 PM, Alex Carver <agcarver+ale at acarver.net> wrote:
> On 7/21/2013 14:05, Jim Kinney wrote:
>>
>> FACEBOOK IS SECURE?!?!?!?! when did that happen?
>>
>> PHP, according to many security people far more knowledgeable than me,
>> continues to suffer from design flaws in the core. Now add in the rampant
>> proliferation of poorly coded add-ons and you get the mess that is PHP. It
>> make Java look good.
>>
>
> I'd actually like to see some site where the security issues of PHP are
> discussed.  Most of the things I've seen have to do with either old versions
> or various "core" modules that may or may not be used in particular scripts
> but I really do want to know what it is these security people find to be a
> problem (partly so I can verify my own installations and ensure there's no
> major issue).
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo



-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com


More information about the Ale mailing list