[Klug-general] Web Scripting Languages

MacGyveR macgyver at thedumbterminal.co.uk
Tue Jan 9 08:03:02 GMT 2007 

On Monday 08 Jan 2007 08:02, Allen Brooker wrote:
> MacGyveR wrote:
> > "PHP can be run as either a CGI application or as an integrated Web
> > server module. Regardless of its mode of execution, the PHP interpreter
> > has the potential to access virtually every part of the host -- the file
> > system, network interfaces, IPC, etc. Consequently, it has the potential
> > to do (or be forced to do) a lot of damage. "
> >
> > http://www.developer.com/lang/article.php/918141
> >
> > you can do much more than sql injection with php, arbitrary code
> > execution is the buzz hack of the moment with php apps. an example of
> > this is seen on popular os apps such as phpbb2 security issues.
>
> And you can achieve the same attacks with Perl, Python, Java, C#, etc.
> You've picked the opening section and ignored the rest of the article.
> These same issues occur with any other language when used for dynamic
> web pages.
>
> And eww, developer.com - these guys will buy any article offered to them
> by any half brained idiot.
>
> > "access to the shell via the apache user easily"
> >
> > anyone who runs cgi scripts as the apache user is living in the past :-)
> > you use a different more restrictive user (but saying that mod_php runs
> > normaly runs as the apache user :-),
> >
> > this should be done in php too with su_php:
> >
> > http://www.suphp.org/
> >
> > otherwise all your php scripts will be equal on your server (normally
> > running as the apache user)
> >
> > 43 percent of web app problems in 2006:
> >
> > http://www.securityfocus.com/news/11430
>
> Not really a big surprise considering PHP's "market share". PHP is
> hugely popular.
>
> > php security boss leaves php saying that securing php is futile:
> >
> > http://blog.php-security.org/archives/61-Retired-from-securityphp.net.htm
> >l
>
> In his own words only. If you take the time to investigate and read the
> blogs of the rest of the PHP security team (and other PHP developers),
> you'll discover there were other reasons for his departure that are not
> to do with the security of PHP at all.
>
> > I don't think php is a secure language, but it does have it's uses (i use
> > it on my own site)
>
> That's right, you don't think - otherwise you would have realised that
> your arguments are dumb and typical of people who spread FUD about PHP
> security.
>
> Regards,
>
> Allen
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent

so we agree then that php, perl or python can all suffer from the same attack 
vectors. 

-- 
--------------------------------
http://www.thedumbterminal.co.uk

More information about the Kent mailing list