NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP-related book comments

Rolan Yang rolan at omnistep.com
Tue Jul 13 16:44:03 EDT 2004


John Lacey wrote:

> from page 190:
> "In many cases, software may come preset with various parameters set 
> by default. In many cases, the default values are set with no regard 
> for security..."  The authors go on to mention PHP global variables 
> and characterizes PHP as "In seriously broken languages like PHP, a 
> number of default configurations are poorly set."
>
>
> Further down the page is this paragraph:
> "PHP is a study in bad security."    I believe that if the authors had 
> said something like "phpBB is a study in bad security"  they might 
> have stated the problem correctly.
>
> So, before I send an email to these guys, is there anything else I 
> should point out?
>
I wouldn't say that PHP is broken in regards to security. Global 
variables (or register_globals) are not in themselves security holes. 
They do allow sloppy programmers to more easily write code that is 
exploitable though. That's not a language problem, it's a programmer 
problem. I don't think it should be the responsibility of the scripting 
language to save us from ourselves. Input validation should be performed 
regardless what system is employed. For me, the speed and simplicity of 
programming in PHP far outweighs the alleged "security issues" people 
claim to exist. If you design the system smart and write clean secure 
code, your apps should run as well if not better than with  any other 
scripting language.

~Rolan


>From hans not junk at nyphp.com  Tue Jul 13 17:50:36 2004
Return-Path: <hans not junk at nyphp.com>
Received: from smtp11.intermedia.net (smtp11.intermedia.net [64.78.21.10])
	by virtu.nyphp.org (Postfix) with ESMTP id 3570EA86CD
	for <talk at lists.nyphp.org>; Tue, 13 Jul 2004 17:50:36 -0400 (EDT)
Received: from ehost011-1.exch011.intermedia.net ([64.78.21.3]) by
	smtp11.intermedia.net with Microsoft SMTPSVC(6.0.3790.0); 
	Tue, 13 Jul 2004 14:41:59 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [nycphp-talk] PHP-related book comments
Date: Tue, 13 Jul 2004 14:50:32 -0700
Message-ID: <41EE526EC2D3C74286415780D3BA9F870306D1A2 at ehost011-1.exch011.intermedia.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: [nycphp-talk] PHP-related book comments
Thread-Index: AcRpDIBUyOhHD92FRxKFdzBUtNjmUwAFMFIg
From: "Hans Zaunere" <hans not junk at nyphp.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
X-OriginalArrivalTime: 13 Jul 2004 21:41:59.0120 (UTC)
	FILETIME=[39B53D00:01C46922]
X-BeenThere: talk at lists.nyphp.org
X-Mailman-Version: 2.1.4
Precedence: list
Reply-To: NYPHP Talk <talk at lists.nyphp.org>
List-Id: NYPHP Talk <talk.lists.nyphp.org>
List-Unsubscribe: <http://lists.nyphp.org/mailman/listinfo/talk>,
	<mailto:talk-request at lists.nyphp.org?subject=unsubscribe>
List-Archive: <http://lists.nyphp.org/pipermail/talk>
List-Post: <mailto:talk at lists.nyphp.org>
List-Help: <mailto:talk-request at lists.nyphp.org?subject=help>
List-Subscribe: <http://lists.nyphp.org/mailman/listinfo/talk>,
	<mailto:talk-request at lists.nyphp.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2004 21:50:36 -0000


> In preparation to writing two security courses -- a security survey
and
> a security tools course, the usual suspects of the latest reference
> books were purchased, as well as knoppix STD.   btw, my area of
> expertise has primarily been in LAN/WAN networking, TCP/IP and routing
> protocols, and forensics.  One book that I hadn't seen before is
> "Exploiting Software: How to Break Code" by Greg Hoglund and Gary
> McGraw.  Overall, it's not a bad book for the most part.   It was
> published Feb. 2004.
> One small section that I took issue with and am about to write the
> authors about is their characterization of PHP.  I quote:
>=20
> from page 190:
> "In many cases, software may come preset with various parameters set
by
> default. In many cases, the default values are set with no regard for
> security..."  The authors go on to mention PHP global variables and
> characterizes PHP as "In seriously broken languages like PHP, a number
> of default configurations are poorly set."

I like how he apparently confuses "software" by then giving a
programming language as an example.  Outlook is software that comes with
various parameters set by default with no regard for security - PHP
isn't.

But I know what he's getting at, and he's right... register_globals (as
we all know :) was a bad idea.  True, it's still possible to write
secure code with it on, but by having it enabled, a world of
inexperienced people could throw sloppy code together and have it
magically "work."

In fact, PHP has had several of these bad ideas (directives with the
word "magic" in them come to mind).

But security is really dependant on the programmer or user - I *always*
turn the default settings off in Outlook.  And, I *always* use
php.ini-recommended (which the PHP group has made available for years,
for this exact reason).

> First, the authors apparently don't know anything about PHP 4.2.0
which,
> I believe, was released over 2 years ago.  Ironically, their next
> paragraph begins with "In the interest of convenience (laziness?),
some
> programmers..."
>=20
> Seems the authors were too lazy to check their facts.  It makes me
> wonder if they've even bothered to research their subject to find a
file
> called php.ini-recommended.

Well, I guess I should have read your message a little further :)  I
agree 100% - I doubt they did.  Or, they looked at it 3 years ago, and
assumed nothing changed before writing the book 3 years later.

> Further down the page is this paragraph:
> "PHP is a study in bad security."    I believe that if the authors had
> said something like "phpBB is a study in bad security"  they might
have
> stated the problem correctly.
>=20
> So, before I send an email to these guys, is there anything else I
> should point out?

I think it's basically that PHP the language has actually had very few
problems over its lifetime.  In fact, it's up to the programmer to
ensure his application is secure - not the programming language.

Is C insecure because you can write over memory?

Is Assembly insecure because I can make your IDE controller do evil
things?

Is C++ insecure because Windows has loads of holes (5 new today)?

Is PHP insecure because it makes it easy for people to write
applications?


H





More information about the talk mailing list