[Cialug] URGENT! How to list all files new/modified last 24 hours

David Champion dchamp1337 at gmail.com
Fri Oct 26 15:53:34 CDT 2012


I've never had any major problems with the new features of PHP breaking
sites.The worst was the Register Globals default setting change, but that
could be worked around by a setting in the php.ini or .htacces on per-site
level.

-dc

On Fri, Oct 26, 2012 at 3:47 PM, Matthew Nuzum <newz at bearfruit.org> wrote:

> These numbers are hard to take seriously because PHP is by far the most
> common programming language available on the web. It is no wonder that
> there are more security issues. Simply because every common web hosting
> provider supports PHP then it is a more popular attack vector and gets more
> scrutiny from security "researches." (black and white hats)
>
> Probably the most valid security gripe I've seen against the PHP project
> has to do with how they have historically released security updates. In the
> past they have released security updates along with new features updates.
> So for example, 5.2 has a bug so they roll out 5.2.1 with the fix for the
> bug and also three new features. This is a bummer for people who need
> stability. They prefer bug fix updates to be 5.2.x and feature updates to
> be 5.x releases. Django is a good example of this. If you get 1.4.x the
> features are consistent unless a vulnerability patch requires a backwards
> incompatible change.
>
> The good news is that your Linux vendor probably does the hard work of
> separating the features from the security patches and backport them to the
> rev of PHP they installed. That means the version numbers for your PHP
> package look a little odd but it means that if you test your app on the php
> 5.2 you got when your server was new then your php app will work pretty
> consistently on the php 5.2 after security updates are applied.
>
> On Fri, Oct 26, 2012 at 1:36 PM, Nicolai <nicolai-cialug at chocolatine.org
> >wrote:
>
> > On Fri, Oct 26, 2012 at 12:25:37PM -0500, Kenneth Younger wrote:
> > > PHP itself isn't inherently dangerous. Let's not spread some FUD, now.
> >
> > It isn't FUD at all: PHP is an unmitigated security disaster.  Here's a
> > page showing its percentage of security holes among all known:
> >
> > http://www.coelho.net/php_cve.html
> >
> > Ouch.  Nothing else compares to that.
> >
> > You can search for vulnerabilities here:
> >
> > http://web.nvd.nist.gov/view/vuln/search
> >
> > PHP: 20,480
> > Javascript: 847
> > Python: 142
> > Apache: 573
> > nginx: 12
> > publicfile: 0
> > MySQL: 364
> > PostgreSQL: 83
> > sqlite: 25
> >
> > PHP dwarfs other software.  There is just no comparison at all.  If PHP
> > is considered secure, than nothing can be considered insecure.
> >
> > Quoting an OpenBSD developer and Google Security Engineer:
> >
> >  "PHP is a domain-specific language for writing XSS and SQL
> >   injection bugs." - Matthew Dempsky
> >
> > There are alternatives to PHP, so its use is inappropriate at best.
> > Some would say it's criminally negligent, but I don't think in general
> > that software security laws should exist.
> >
> > Nicolai
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
>
>
> --
> Matthew Nuzum
> newz2000 on freenode, skype, linkedin and twitter
>
> ♫ You're never fully dressed without a smile! ♫
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>


More information about the Cialug mailing list