PHP flaws pose hacker risk

Submitted by sticks on Thu, 02/28/2002 - 14:53

Tagged:

Security

And check this out: Most of the vulnerabilities only exist in Win... no, wait. The vulnerabilities only exist for Linux and Solaris. Wow. Didn't see that one coming, but it does amuse me to no end. How fun, I get to flame on Linux and PHP. Linux SUCKS!!! PHP SUCKS!! Why can't Linux provide robust, secure solutions like Microsoft does? If only the lusers of the world would embrace ASP as the only True Server Side Engine. The Register US

Add new comment

Comments

Re: PHP flaws pose hacker risk

Submitted by atrox (not verified) on Thu, 02/28/2002 - 15:06.

Ok there big fella, you made your point. Seriously, these are valid exploits and they appear to affect the file upload capability of PHP. Thanks for pointing users to this. PHP installed correctly, or for that matter, used correctly, is not really vulnerable to this but very few people "use" it correctly. What I mean is, verify ALL user input BEFORE processing. There was a cert advisory years ago about malicious tags in input (not just for PHP mind you, for ANYTHING) and they recommended validating ALL input. Ever since then I have done so, but I dont know of ANY other projects I have been involved with that bother (depsite my stating, uh, hey, validate ALL input.) Specifically every form on any site, every form, login box to long drawn out mortgage application, should validate input before processing. Check for malicious tags in input (applet, object, embed, php, asp, jsp, etc) and figure out some mechanism to check file uploads. That part is sketchy, and harder to do, but checkin all HTML normal FORM input is EASY. Write a function or method to do this and strip out all bad stuff, use it before every form post. On the file upload thing, get the latest version of PHP (to eliminate these PHP exploits) AND define your policy, how big, what type, where to, etc. As for this clown that posted this story saying ASP is the only way to go, judge for yourself on that one, do a little search anywhere on the web and look for PHP-apache exploits and then compare that to ASP-IIS exploits. No contest. The big guy likes to jab back, understood, but ASP, .NET, IIS, C#, VB, etc, etc, etc, all suck ass and this is the second or third PHP problem I have EVER seen.

Re: PHP flaws pose hacker risk

Submitted by jeepmutt (not verified) on Thu, 02/28/2002 - 16:17.

Don't try to use logic or common sense to confuse the situation. It only raises you to my level. Just out of idle curiousity, have you ever used VB or C#? More specifically, have you used them for a non web-based app? I'd take either one over Java and Schwing, having tried to crank out little apps in all three. VB is definitely the easiest to get going, and the easiest to max out on. Then you gotta start using Win32 calls, and it starts to get ugly. C# seems to be ok, but haven't done a lot, yet. Schwing, I simply detest. It is back asswards, slow and painful. So, here is your task: create an simple app that works on a desktop, (gonna restrict you to Windows, since a lot of time, that is real-life.) What language have you used, and would you use again. Anyone?

Re: PHP flaws pose hacker risk

Submitted by atrox (not verified) on Thu, 02/28/2002 - 17:17.

uh, that would put me on "your level", i think i will just stick with .NET sucks!!!

Re: PHP flaws pose hacker risk

Submitted by atrox (not verified) on Thu, 02/28/2002 - 17:18.

hey, i put this story out there just for you and got no response, whats up with that? http://screaming-penguin.com/main.php?storyid=2179

Re: PHP flaws pose hacker risk

Submitted by jeepmutt (not verified) on Fri, 03/01/2002 - 10:37.

Actually, I never read the linked article cause I thought it was talking about the whole GNOME/Mono/.NET thingy that was going on at the same time. I was oh so sick of that discussion, so I didn't even go there. After reading it, it was pretty humorous. I am pretty surprised that a posse hasn't knocked on my door so far. Guess I am not important enough. Someday, maybe. Till then, keep chanting your litany, my one-track minded compatriot.