Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > More PHP Stupidity

Reply
Thread Tools

More PHP Stupidity

 
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      08-11-2009
Just when you thought it was enough to wean PHP noddies off
"register_globals", turns out there's another way PHP lets an attacker reach
into the internals of your program and screw them around.

<http://blogs.zdnet.com/security/?p=4002>
 
Reply With Quote
 
 
 
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      08-12-2009
And another bit of cleverness from the PHP set:
<http://www.h-online.com/security/jCryption-1-0-released--/news/113969>.

Don't they realize how pointless this is?
 
Reply With Quote
 
 
 
 
Hamish Campbell
Guest
Posts: n/a
 
      08-12-2009
On Aug 12, 12:10*pm, vitw <(E-Mail Removed)> wrote:
> On Wed, 12 Aug 2009 11:33:19 +1200, Lawrence D'Oliveiro wrote:
> > More PHP Stupidity

>
> 'PHP stupidity'?? The second word is redundant!
>
> > Just when you thought it was enough to wean PHP noddies off
> > "register_globals", turns out there's another way PHP lets an attacker
> > reach into the internals of your program and screw them around.

>
> > <http://blogs.zdnet.com/security/?p=4002>

>
> Just like Windows - the smartest offering doesn't always end up
> dominating the market or the industry.
>
> PHP is brain pus. Sadly it wins hearts and minds by giving absolute
> newbies an easy learning curve to becoming slightly productive.
>
> If languages were bikes, then PHP is like a squeaky old tricycle, which
> way too many kids cling to even well into their adulthood, instead of
> upgrading to 2-wheel bike then motorcycle or car.


Except, this isn't a PHP vulnerability.
 
Reply With Quote
 
Hamish Campbell
Guest
Posts: n/a
 
      08-12-2009
On Aug 12, 7:21*pm, vitw <(E-Mail Removed)> wrote:
> If a language makes it much quicker, easier, simpler or more convenient
> to write vulnerable code than to write secure code, then I'm sorry, it is
> a vulnerabilty in the language itself, albeit subtle.


Not really. Some languages presuppose what you are trying to do, which
might allow for better security, or it might just get in way. On the
other hand, there is a strong argument that this is a false assurance,
since developers will usually find a way to code around 'built-in'
security features of a language.

There is no such thing as a secure programming language.

> Programmers almost always work under time pressure. It's very easy to
> forget that in some places in one's code, the security considerations
> aren't exactly paranoid.


If you want to code securely, use a secure *framework* and learn how
to use it properly.

By the way, anyone interested in these issues should go along to the
monthly OWASP meetups.

http://www.owasp.org/index.php/New_Zealand
 
Reply With Quote
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      08-12-2009
In message <a6c86477-
c188-405e-8f31-4f047cb38158@k13g2000...oglegroups.com>, Hamish Campbell
wrote:

> Except, this isn't a PHP vulnerability.


NO OTHER language has this "feature", whereby an outside entity can force
certain data types on the program, regardless of the programmer's wishes,
simply by encoding input data in a certain way. It's an unwarranted
intrusion on the internal workings of the program, which is why it's a
security risk.
 
Reply With Quote
 
Hamish Campbell
Guest
Posts: n/a
 
      08-12-2009
On Aug 13, 11:39*am, Lawrence D'Oliveiro <l...@geek-
central.gen.new_zealand> wrote:
> In message <a6c86477-
> (E-Mail Removed)>, Hamish Campbell
> wrote:
>
> > Except, this isn't a PHP vulnerability.

>
> NO OTHER language has this "feature", whereby an outside entity can force
> certain data types on the program, regardless of the programmer's wishes,
> simply by encoding input data in a certain way. It's an unwarranted
> intrusion on the internal workings of the program, which is why it's a
> security risk.


As with all user input, from any language (but especially an untyped
one), it has to be properly filtered.

If it has not been properly filtered, it is a fault of the developer,
not the language.
 
Reply With Quote
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      08-13-2009
In message <(E-Mail Removed)>, Hamish Campbell wrote:

> On Aug 13, 11:39 am, Lawrence D'Oliveiro <(E-Mail Removed)_zealand> wrote:
>>
>> In message <(E-Mail Removed)>, Hamish
>> Campbell wrote:
>>
>>> Except, this isn't a PHP vulnerability.

>>
>> NO OTHER language has this "feature", whereby an outside entity can force
>> certain data types on the program, regardless of the programmer's wishes,
>> simply by encoding input data in a certain way. It's an unwarranted
>> intrusion on the internal workings of the program, which is why it's a
>> security risk.

>
> As with all user input, from any language (but especially an untyped
> one), it has to be properly filtered.


In other languages, a string is a string. You feed a string in a URL or form-submission parameter, and the language receives it as a
string. End of story. It's only PHP where it can magically interpret certain string formats as encodings for something else that is not a
string.

> If it has not been properly filtered, it is a fault of the developer,
> not the language.


You don't need to "filter" strings in any other language if you're just going to use them as strings. Strings are strings. It's only PHP
that requires you to check that you really have a string, that it hasn't magically turned into something else.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Yet more stupidity from Japan OldGringo38 Computer Support 3 03-24-2010 04:11 AM
PHP Training Institute In Delhi, Live Projects on PHP. Short TermPHP Courses, PHP Scripts, PHP Training with Live Projects. Rajive Narain Java 0 09-18-2009 10:47 AM
OT: Thursday Stupidity Briscobar MCSE 11 06-30-2005 10:28 PM
grasping a Usenet stupidity anthonyberet Computer Support 3 05-28-2004 06:30 AM
FINALLY FIXED (That's to the stupidity on my part) MatGyver Cisco 0 10-29-2003 09:48 PM



Advertisments