[Klug-general] Web Scripting Languages

Allen Brooker allen at allenjb.me.uk
Mon Jan 8 08:03:47 GMT 2007


MacGyveR wrote:
> "PHP can be run as either a CGI application or as an integrated Web server 
> module. Regardless of its mode of execution, the PHP interpreter has the 
> potential to access virtually every part of the host -- the file system, 
> network interfaces, IPC, etc. Consequently, it has the potential to do (or be 
> forced to do) a lot of damage. "
> 
> http://www.developer.com/lang/article.php/918141
> 
> you can do much more than sql injection with php, arbitrary code execution is 
> the buzz hack of the moment with php apps. an example of this is seen on 
> popular os apps such as phpbb2 security issues.

And you can achieve the same attacks with Perl, Python, Java, C#, etc. 
You've picked the opening section and ignored the rest of the article. 
These same issues occur with any other language when used for dynamic 
web pages.

And eww, developer.com - these guys will buy any article offered to them 
by any half brained idiot.

> 
> "access to the shell via the apache user easily"
> 
> anyone who runs cgi scripts as the apache user is living in the past :-) you 
> use a different more restrictive user (but saying that mod_php runs normaly 
> runs as the apache user :-), 
> 
> this should be done in php too with su_php:
> 
> http://www.suphp.org/
> 
> otherwise all your php scripts will be equal on your server (normally running 
> as the apache user)
> 
> 43 percent of web app problems in 2006:
> 
> http://www.securityfocus.com/news/11430

Not really a big surprise considering PHP's "market share". PHP is 
hugely popular.

> 
> php security boss leaves php saying that securing php is futile:
> 
> http://blog.php-security.org/archives/61-Retired-from-securityphp.net.html

In his own words only. If you take the time to investigate and read the 
blogs of the rest of the PHP security team (and other PHP developers), 
you'll discover there were other reasons for his departure that are not 
to do with the security of PHP at all.

> 
> I don't think php is a secure language, but it does have it's uses (i use it 
> on my own site)
> 
That's right, you don't think - otherwise you would have realised that 
your arguments are dumb and typical of people who spread FUD about PHP 
security.

Regards,

Allen



More information about the Kent mailing list