Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]

On 22/02/06, Kevin Waterson <kevin@oceania.net> wrote:
> This one time, at band camp, Gadi Evron <ge@linuxbox.org> wrote:
>
> > 3. Staying on top of new PHP vulnerabilities has become impossible,
> > popping around everywhere.
>
> What vulnerabilities in PHP?
> Are implying the fault is within the language itself?

I think Gadi meant vulnerabilities in PHP applications; though the
language doesn't make it particularly easy to write secure code.

> This is akin to saying C has vulnerabilites because some script kiddie
> wrote a poor application.

Like this ?

"We can give you advice on how to write good cryptographic code. Avoid
any programming language that allows buffer overflows. Specifically:
don't use C or C++" -- Practical Cryptography, Schneier and Ferguson,
(p149 in my copy).

It's a point of view that has something to be said for it. You *can*
write secure code in C and PHP, but it takes a lot of care and most
programmers don't take that care. I've been told privately that one
penetration tester could gain system privileges on the majority of
webservers he checked; that used to surprise me, but doesn't any
longer. I don't whether that's a 'vulnerability', 'disadvantage' or
'feature' of PHP and other scripting languages.

cheers,
 Jamie
--
Jamie Riden / jamesr@europe.com / jamie.riden@gmail.com