[Cialug] URGENT! How to list all files new/modified last 24 hours
Matthew Nuzum
newz at bearfruit.org
Fri Oct 26 15:47:32 CDT 2012
These numbers are hard to take seriously because PHP is by far the most
common programming language available on the web. It is no wonder that
there are more security issues. Simply because every common web hosting
provider supports PHP then it is a more popular attack vector and gets more
scrutiny from security "researches." (black and white hats)
Probably the most valid security gripe I've seen against the PHP project
has to do with how they have historically released security updates. In the
past they have released security updates along with new features updates.
So for example, 5.2 has a bug so they roll out 5.2.1 with the fix for the
bug and also three new features. This is a bummer for people who need
stability. They prefer bug fix updates to be 5.2.x and feature updates to
be 5.x releases. Django is a good example of this. If you get 1.4.x the
features are consistent unless a vulnerability patch requires a backwards
incompatible change.
The good news is that your Linux vendor probably does the hard work of
separating the features from the security patches and backport them to the
rev of PHP they installed. That means the version numbers for your PHP
package look a little odd but it means that if you test your app on the php
5.2 you got when your server was new then your php app will work pretty
consistently on the php 5.2 after security updates are applied.
On Fri, Oct 26, 2012 at 1:36 PM, Nicolai <nicolai-cialug at chocolatine.org>wrote:
> On Fri, Oct 26, 2012 at 12:25:37PM -0500, Kenneth Younger wrote:
> > PHP itself isn't inherently dangerous. Let's not spread some FUD, now.
>
> It isn't FUD at all: PHP is an unmitigated security disaster. Here's a
> page showing its percentage of security holes among all known:
>
> http://www.coelho.net/php_cve.html
>
> Ouch. Nothing else compares to that.
>
> You can search for vulnerabilities here:
>
> http://web.nvd.nist.gov/view/vuln/search
>
> PHP: 20,480
> Javascript: 847
> Python: 142
> Apache: 573
> nginx: 12
> publicfile: 0
> MySQL: 364
> PostgreSQL: 83
> sqlite: 25
>
> PHP dwarfs other software. There is just no comparison at all. If PHP
> is considered secure, than nothing can be considered insecure.
>
> Quoting an OpenBSD developer and Google Security Engineer:
>
> "PHP is a domain-specific language for writing XSS and SQL
> injection bugs." - Matthew Dempsky
>
> There are alternatives to PHP, so its use is inappropriate at best.
> Some would say it's criminally negligent, but I don't think in general
> that software security laws should exist.
>
> Nicolai
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
--
Matthew Nuzum
newz2000 on freenode, skype, linkedin and twitter
♫ You're never fully dressed without a smile! ♫
More information about the Cialug
mailing list