×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PHP Security Expert Resigns

samzenpus posted more than 7 years ago | from the good-day-sir dept.

Security 386

juct writes "PHP security holes have a name — quite often it was Stefan Esser who found and reported them. Now Esser has quit the PHP security team. He feels that his attempt to make PHP safer "from the inside" is futile. Basic security issues are not addressed sufficiently by the developers. Zeev Suraski, Zend's CTO of course disagrees and urges Stefan to work with the PHP development team instead of working against it. But given the number of remote code execution holes in PHP apps this year, Esser might have a point. And he plans to continue his quest for security holes in PHP. Only that from now on, he will publish them after reasonable time — regardless if a patch is available or not." Update: 10/30 12:57 GMT by KD : Zeev Suraski wrote in to protest: "I'm quoted as if I 'point fingers at inexperienced developers,' and of course, there's no link to that — because it's not true! The two issues — security problems in Web apps written in PHP, and security problems in PHP itself — are two distinct issues. Nobody, including myself, is saying that there are no security problems in PHP — not unlike pretty much any other piece of software. Nobody, I think, argues the fact that there have been many more security problems at the application level, then there were at the language level. I never replied to Stefan's accusations of security problems in PHP saying 'that's bull, it's all the developers' fault,' and I have no intention to do it in the future."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

386 comments

php is the best language still (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17233360)

it dont matter if he resigned

Lemme guess... MySQL is also the best database? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17233382)

Fuck your newbie language (PHP), fuck your newbie database (MySQL), and most of all fuck your newbie OS (Micro$oft Winblows)! Damn you AOL for letting your ilk on the Internet!

Re:Lemme guess... MySQL is also the best database? (3, Funny)

Shads (4567) | more than 7 years ago | (#17233470)

Any language is only as good as the programmer using it.

I use a LAMP stack for the most part, many of the security holes in php aren't due to the language itself but the developers of the various webapps.

That being said, this requires a repost of the ol Adminspotting [adminspotting.org] thang.

Choose no life. Choose no career. Choose no family.
Choose a fucking big computer, choose disk arrays the
size of washing machines, modem racks, CD-ROM writers,
and electrical coffee makers. Choose no sleep, high
caffeine and mental insurance. Choose no friends.
Choose black jeans and matching combat boots. Choose
chairs for your office in a range of fucking fabrics.
Choose SMTP and wondering why the fuck you are logged
on on a sunday morning. Choose sitting in that swivel
chair looking at mind-numbing, spirit-crushing web sites,
stuffing fucking junk food into your mouth. Choose
rotting away at the end of it all, pishing your last in
some miserable newsgroup, nothing more than an
embarassment to the selfish, fucked up lusers Gates
spawned to replace the computer-literate.

Choose your future.
Choose to sysadmin.

Re:Lemme guess... MySQL is also the best database? (5, Insightful)

eln (21727) | more than 7 years ago | (#17233662)

Yes, bad developers produce insecure code, but let me take you on a brief trip down memory lane.

Way back when, when the Web was new, and CGI was just starting out, there was some debate as to whether C or Perl should be the language of choice for writing CGI scripts. In the end, Perl became much more widely used because it was just too damn easy to open up major security holes writing in C, because it lacked some of the features of Perl (like making it impossible to commit a buffer overrun, for example). Perl won out in early CGI precisely because a lot of the problems of CGI security were already solved because of inherent features of the language.

Now, PHP came along and billed itself (and in fact was designed) as an easy way to make secure web scripts. So, if the PHP code has bugs that impact its security in web-based applications, these things should be addressed. Otherwise, it's going to end up being supplanted by another language that is more secure and easier to use to build web apps.

Blaming the developer for security is only going to take you so far when the language the developer is using is supposed to be SPECIFICALLY DESIGNED for web applications.

Re:Lemme guess... MySQL is also the best database? (2, Insightful)

Ckwop (707653) | more than 7 years ago | (#17233796)

This reminds me a lot of the fundamental principle of politics:

Never blame the voters.

In software, people with their feet so I bet this principle applies equally to this field.

Simon.

Shenanigans! (4, Funny)

kahei (466208) | more than 7 years ago | (#17234150)

Now, PHP came along and billed itself (and in fact was designed)

I call shenanigans! No way was PHP 'designed'!

Re:Lemme guess... MySQL is also the best database? (4, Insightful)

quantaman (517394) | more than 7 years ago | (#17233862)

Any language is only as good as the programmer using it.
I actually have a philosophy when writing applications that is almost the complete opposite of that.

Anytime the tool does something that the user doesn't want it's a bug.

This applies to applications, programming languages, heck even cars if you want.

The fact is that if the user gets something they didn't want, no matter how stupidly they tried to use it, the tool still bears some of the blame. I don't care how dumb a thing the user did, there was something there that made them think they could do that and it's a bug.

With programming languages if the language allows the user to create a security hole it's the fault of the language on some level. Sure you can get stupid programmers but blaming the programmer entirely discourages the search for a better language. Yeah if I overrun my array in C it's my fault. But can it be entirely my fault when in Java that same bug wouldn't be a security exploit? Hey, if I drive my car straight off a cliff, is that my fault? Yeah. But a car with a computer failsafe driver wouldn't of gone off the cliff (hey, if two jetliners are on a collision course the computer takes over).

You can never make the perfect tool, even a big green button that will do everything you ever wanted will still have a bunch of people who didn't think to push the button. But it forces you to realize, you can never fix users but you can always fix your code.

Re:Lemme guess... MySQL is also the best database? (1)

trochej (730292) | more than 7 years ago | (#17234066)

> Hey, if I drive my car straight off a cliff, is that my fault? Yeah. But a car with a computer failsafe driver wouldn't of gone off the cliff (hey, if > two jetliners are on a collision course the computer takes over). Hey, if I hit my thumb with a hammer by mistake, would it be my fault?Yeah. But a hammer with computer failsafe hammer-operator would avoid hitting my thumb, right?

php certainly is the best language... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17233410)

...for script kids to poop on!

Re:php is the best language still (2, Interesting)

Divebus (860563) | more than 7 years ago | (#17233454)

Huge problem is "default" installs - everyone knows where your sample scripts are. Delete those first thing then move/rename the active libraries.

Now, where's that Ruby book?

Re:php is the best language still (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17233496)

"Huge problem is "default" installs"

Huge problem is the lack of proper ingineering efforts.

PHP seems to me quite a good language for the task at hand, and its popularity seems to agree with me. Probably some PHP core developers are quite good at defining/devoloping it. The problem is that for a good product to be born that's not enough. Then you need people with proper ingineering knowledge and *attitude* and that I feel severily lack this people.

It's not only security flaws within the core of it, which is a clear symptom (while proper ingineering efforts would reduce them with time) it's they mix security fixes with new functionality; they change the interpreter behaviour and default options within minor releases... Those are symptoms of the underlying illness: bad ingineering attitude.

And it doesn't seem to change in the future; quite a pity.

Couple thoughts (2, Insightful)

BadAnalogyGuy (945258) | more than 7 years ago | (#17233370)

First, the language is wide open for editing. It might help to be someone who not only finds bugs but fixes them.

Second, it's PHP. Add another API or something.

PHP Security Expert (5, Funny)

mrshoe (697123) | more than 7 years ago | (#17233374)

PHP Security Expert...

Isn't that an oxymoron?

Re:PHP Security Expert (1, Interesting)

plierhead (570797) | more than 7 years ago | (#17234298)

I know exactly nothing about PHP, except that putting it on my Fedora box was a prereq to installing the mambo CMS, so I followed the instructions exactly.

My first introduction to php itself was about 6 weeks later when I found my network sagging under the load of a spam blast emanating from my now-compromised machine, broken into through a php exploit - kinda disgruntling and humiliating since I take the utmost care over security and this was the first ever breakin.

The first reaction when I told someone at work about this was "yeah, you'd have to be mad to run php on a box you don't want to get owned".

Lesson learned and now I would not touch php with a 20 ft pole.

On second thought... (5, Insightful)

phantomcircuit (938963) | more than 7 years ago | (#17233376)

On second thought I would have to agree that the majority of PHP flaws are due to unskilled programming.

just have a look [milw0rm.com]

Question from a .NET developer trying to go OSS... (1)

JacksBrokenCode (921041) | more than 7 years ago | (#17233542)

Are there better alternatives to PHP or is the answer just better coding practices while using PHP?

I ask because the majority of my experience is with C# and ASP.NET but I'm currently working on a project where the client would prefer to go with open-source alternatives. I'm not well versed in other platforms but have been looking at Apache/PHP/MySQL based on popularity & community. Ease of development is somewhat important, but speed & longevity (including security) are more important.

Sorry if this is a dumb question, I've never developed anything serious on a FOSS platform before.

Re:Question from a .NET developer trying to go OSS (5, Insightful)

mano_k (588614) | more than 7 years ago | (#17233572)

There sure are better alternatives to PHP in the OSS sector! PHP IMHO is a nice toy but nothing I would use in a commercial project.

A soon to be totally OS sollution is of course JAVA with Apache and Servlets/JSP. Just take a look at Sun's website, they have a lot of information, examples and tutorials available. Also, Java is totally plattform independent and easily installed on Windows, if that remains your development system.

Another, more recent sollution would be Ruby on Rails [rubyonrails.org], which has some realy niffty features.

And no, not a dumb question at all! One hint: If you got the time, just download the OSS you are considering ang play around with it, that's probably more usefull than my dumb answer. ;-)

Re:Question from a .NET developer trying to go OSS (3, Interesting)

jrockway (229604) | more than 7 years ago | (#17233724)

Another, more recent sollution [sic] would be Ruby on Rails, which has some realy niffty [sic] features.


Rails is pretty cute. An more functional (but less "shiny") alternative is Catalyst [catalystframework.org]. It's written in Perl, which means you get the benefit of over 10,000 extension libraries from the CPAN [cpan.org] to draw upon. Perl also has some nice features that Ruby or PHP lack, like full native unicode support and automatic taint checking. It's also faster, because it's had 10 years to mature. Sadly people seem to be ignoring Perl these days, but with recent improvements it's nearly as cool as Ruby (check out "Moose").

Also, if you'd like to access a database with compound primary keys, ActiveRecord won't support that, but Catalyst's ORM (DBIx::Class) supports it fine.

Rails is good for quick apps like a wiki or a blog, but for more complicated internal applications, Catalyst is where it's at. Stop by the website, check out our advent calendar [catalystframework.org], or perhaps try the tutorial [cpan.org]. Join us in #catalyst on irc.perl.org if you have any questions!

Re:Question from a .NET developer trying to go OSS (1, Informative)

I Like Pudding (323363) | more than 7 years ago | (#17234264)

Also, if you'd like to access a database with compound primary keys, ActiveRecord won't support that, but Catalyst's ORM (DBIx::Class) supports it fine.

Bullshit [rubyonrails.org]

Rails is good for quick apps like a wiki or a blog, but for more complicated internal applications, Catalyst is where it's at.

I am hesitant to try any framework whose partisans routinely bash other frameworks. I'm used to getting this from Python; it's refreshing to see a Perl guy screaming at the wind.

Re:Question from a .NET developer trying to go OSS (1)

holy zarquon's singi (640532) | more than 7 years ago | (#17233870)

I second the bloke who mentioned Catalyst [perl.org]. In one sense it's a url path dispatcher, but it's pretty elegantly done with full debugging support. Sure it's perl, but many people think that's a plus.

Re:Question from a .NET developer trying to go OSS (2, Informative)

siddesu (698447) | more than 7 years ago | (#17233578)

there is a wide choice of languages and platforms.

languages: there's java, there's python, there's perl, and there are more. each of the first three is (IMHO) a lot better than php (as I know it, up to about v. 4) for building web applications.

servers: Apache, with either mod_perl or mod_python access to the APIs is very good. Of course, there's the plenty of java web servers and ways to run those with or without Apache.

platforms: look at the Apache foundation's site for java, perl and python modules.

development environment: I prefer Eclipse, but there are a few to choose from.

Good luck,

Re:Question from a .NET developer trying to go OSS (4, Insightful)

Shados (741919) | more than 7 years ago | (#17233618)

Yeah, with Java becoming open source, its right in line for you. Learning Java as a C# programmer is a joke, the basics are 95% the same, especialy if you use java faces (though I'm a bit "meh" about that).

You pull java with eclipse, apache, strut/spring/hibernate/junit, then pull any database that hibernate supports, and you're in business.

There's a learning curve, but you won't feel like anything is missing from .NET, really (I'm primarly a C# programmer myself, so I know where you're coming from). Unless you had a MSDN Universal license with Visual Studio Team Foundation, or were already using .NET 3.0 (Workflow, Communication, etc), this might actualy give you a lot more power than what you are used to.

Re:Question from a .NET developer trying to go OSS (1)

Tim C (15259) | more than 7 years ago | (#17234196)

Learning Java as a C# programmer is a joke, the basics are 95% the same

I'll second that having come from the other direction - I'm a professional Java programmer and sometime hobbiest C# programmer. While I certainly wouldn't claim to be an expert and I've not done anything I'd consider particularly complicated (a couple of fairly noddy webapps and a couple of basic D3D things), C# was incredibly easy to pick up.

Re:Question from a .NET developer trying to go OSS (1)

aztracker1 (702135) | more than 7 years ago | (#17233950)

I looked through some of the other mentions... though you won't find a plethora of hosting options, if you plan on a dedicated server, you may want to give apache2 + mod_mono2 a look... ASP.Net 2 goodness running on linux... the client libraries for mysql, firebird and postgres are pretty mature. You can develop on windows, and test/deploy on linux.

If you are interested in something different, would do like others have suggested, and look at Ruby/Rails, Catalyst or Java JSP/J2EE. Java will be the closest to C#, but I'm not such a fan of JSP.

Re:Question from a .NET developer trying to go OSS (1)

klagg (107206) | more than 7 years ago | (#17234076)

That depends (of course). Ruby on Rails is very nice, but the Ruby language is very different from C#. PHP is much more similar.
If you decide to go with PHP, have a look at the Symfony project [symfony-project.com]. It's a well-documented rails-like framework for PHP, it really promotes better coding practices.

Re:Question from a .NET developer trying to go OSS (1)

kahei (466208) | more than 7 years ago | (#17234132)


Moving from C#/ASP.NET (and presumably SQL Server) to PHP/MySQL is like chopping your hands off. You can do much better than that.

DB-wise, PostgreSQL is as powerful as SQL Server in most ways, and more powerful in many.

Language-wise, you have Python, Ruby, Java and even Perl. Perl is baroque and dated and I'm not sure I could recommend using it now. Java brings with it the whole Java stack and accompanying XML hell and performance issues (yeah, I know, they don't really exist and it's all a conspiracy). Ruby and Python are fairly different languages -- Ruby is more fun while Python is more powerful and better-supported.

But to be honest, there is absolutely no reason why you should leave C# at all if that's your preferred environment (and it's certainly at least as useful a skill as any of the above). Mono is pretty darn solid and it's possible to write web components with it that are 99% (maybe 100%, I dunno, but I seem to recall I found some minor issues) compatible across windows and Linux.

My choice would probably be a Python environment backed with PostgreSQL. As it happens, I use PHP and MySQL just for the sake of keeping au fait with the 'less robust' end of the market -- if that's not an issue I don't see why you should use them. After C#, PHP is a pretty bitter pill to swallow.

Re:Question from a .NET developer trying to go OSS (1)

This Is Ridiculous (234241) | more than 7 years ago | (#17234206)

I'm currently writing an app with Catalyst [catalystframework.org]. ("Currently" as in "paused to look something up while working on it and spotted this story".) It's based on Perl and usually combined with Template Toolkit, which uses a mini-language to describe templates. I definitely recommend it—it's about the cleanest way I've found to create a dynamic site.

Catalyst is designed to keep the different parts of your app separate from each other, unlike PHP which tends to encourage mixing presentation code with application logic. (You can write PHP apps nearly as cleanly as Catalyst apps, but Catalyst helps you do it while PHP makes it fairly inconvenient.) It basically carves your site into three big chunks—Model, which talks to the database; View, which talks to the web browser; and Controller, which bridges the other two. Typically you'll need a model for each database, a controller for each section of the site, and a view for each method used to access the site (HTML, RSS, web service, PDF...). Models are usually auto-generated, and the glue code for the views is written for you, so you basically just have to write your templates and application logic.

Because it's based on Perl, you automatically get a few bonus security features, like taint checking (which tracks user-provided data to ensure you don't use it in unsafe ways) and database libraries that use placeholders. Catalyst apps almost never use raw SQL either (they use libraries that create objects to represent the tables and records), so injection attacks are virtually impossible.

If you don't want to use Perl, Ruby on Rails is fairly similar, and I know a lot of people swear by it; Ruby has a shallower learning curve as well. It doesn't have the libraries or userbase Perl does, though.

Re:Question from a .NET developer trying to go OSS (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17234278)

Well I moved from C# to Java a couple of years ago when a client wanted to be able to deploy to AIX. I found the transition dead easy. If you fancy taking a look at Java and want a good starter IDE you could do worse than look at Sun's Java Studio Creator [sun.com] which has a lot of the same look and feel as Visual Studio and is free and open source. If you want something that rocks and don't mind paying for it IDEA [jetbrains.com]is easily the best IDE I've ever used for anything. Ruby on Rails [rubyonrails.org] is where all the hype is at the mo, of course, but I'm not much of a fan myself mainly because Ruby is so damn slow [debian.org].

Re:On second thought... (1)

sauge (930823) | more than 7 years ago | (#17233562)

These are great examples of how NOT to write code. I feel a little PDF book coming on in my fingers...

Re:On second thought... (1)

dam.capsule.org (183256) | more than 7 years ago | (#17233916)

The problem is PHP making it more difficult for a developer to program with security in mind. Escaping a value before putting it in an input tag should not take a whole "htmlentities($dangerous_user_value)" where a quicker "he($dangerous_user_value)" could do the job with less typing. Of course you can add that function yourself, but the framework should make it easy at first.

Take the mysql_escape_string/mysql_real_escape_string thing. They could have one simple function to escape parameters of an SQL query and do the query like every other language (PreparedStatement in Java, I think perl DBI has them to, ActiveRecord for ruby on rails), but no, they assume the user is intelligent enough to escape correctly the parameters and choose the right function to do so. But PHP is often use by beginners so they don't know they need to escape parameters and they are not forced to do it so they won't know until some hackers use the hole to do some XSS tricks.

Add to that the $_* variables mess, tons of bad named and bad designed API (think implose($array, ',') and explose(',', $array)) and you have completely confused developers developing insecure web applications.

PHP was good five years ago but it has been lagging since.

Re:On second thought... (1)

aaronwormus (716976) | more than 7 years ago | (#17233934)

use PHP 5.2

ext/filter takes care of a lot of the input filtering mess. PDO takes care of the database specific quoting, as well as prepared statements.

PHP sucked 5 years ago, but is coming together now ;)

Re:On second thought... (1)

cortana (588495) | more than 7 years ago | (#17233992)

The problem is that it will take years for all the commonly-used PHP applications to be rewritten to use these new interfaces, if they ever are at all. And in the meantime all the other criticisms of PHP will still continue to apply.

Re:On second thought... (1)

aaronwormus (716976) | more than 7 years ago | (#17234062)

PHP can be written securely without using these new interfaces, so old code does not need to be rewritten to be secure. PHP5 is gaining momentum amongst developers, everyone I know uses PHP5 for any new projects. So it's just a matter of time before it reaches critical mass and the applications that aren't ported over will stop being used. The same thing can be said about windows (I know it's a bad comparison), regardless of the patches that MS does to windows XP, there are still a couple hundred thousand windows ME machines out there working their little hearts out in botnets. The fact that people don't fix security issues in old code shouldn't effect the quality of development on the current platform.

Re:On second thought... (1)

Jessta (666101) | more than 7 years ago | (#17233962)

A programming language should attempt to prevent a programmer from making these kinds of mistakes. By making the mistakes obvious in the syntax.

Re:On second thought... (1)

timmarhy (659436) | more than 7 years ago | (#17234038)

BULL-SHIT. PHP security problems are not due to inexperienced programmers, there are lots of inexperienced programmers out there many other languages, yet they don't produce anywhere near the vunerable systems php accounts for.

Re:On second thought... (1)

kv9 (697238) | more than 7 years ago | (#17234232)

On second thought I would have to agree that the majority of PHP flaws are due to unskilled programming.

exactly. yet the flamy blurb seems to be contradicting itself:

Basic security issues are not addressed sufficiently by the developers. Zeev Suraski, Zend's CTO of course disagrees and points his finger at inexperienced programmers. But given the number of remote code execution holes in PHP apps this year, Esser might have a point. And he plans to continue his quest for security holes in PHP.

so it's the apps, stupid. how many buffer overflows do we find every day in C/C++ applications? lots. yet I dont hear many people slamming the language. the only serious problem with PHP is the low barrier to entry, which allows every droolmonkey with a text editor to start coding.

Re:On second thought... (0, Troll)

DrSkwid (118965) | more than 7 years ago | (#17234268)

The file upload exploit wasn't programmer error and this was the biggest cause of site defacements via PHP seen so far.

SQL Injection is the default mode of the PHP paradigm.

PHP is a toy language. It should be drowned in a bucket.

And I've been paid to program in it for longer than I care to remember though it was PHP3 when I started, you work it out :)

Atlas (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17233396)

"Howdy Atlas."
"Howdy, AC."
"What's up with that big round blue ball you're carrying?"
"That's the world. I carry it on my shoulders."
"Looks heavy."
"It is."
"Why do you carry it."
"Good question. Never really gave it much thought."
AC: *pause*
Atlas: *shrug*

PHP reminds me of IIS4 (4, Insightful)

93 Escort Wagon (326346) | more than 7 years ago | (#17233412)

We have a large group of students, staff, and faculty that all have varying degrees of write access to a departmental Apache web server. Every few weeks someone asks why we're not giving people PHP access. Users love PHP because it's so easy; it makes them feel like they're clever programmers. But it seems like security knowledge is never imparted alongside the PHP training. People seem to think it's as benign as plain old HTML. When they ask for PHP I tell them we have a policy about not giving scripting-level access to users without good justification, and they have no idea why that applies to them since "we don't want to do any scripting; we just want to make PHP web pages".

But even leaving all that aside - it seems like every SANS newsletter has multiple announcements either about a bug in some popular bit of PHP-based software, or else in PHP in general. Until that changes, we're sticking to Perl and Python. It's funny, in a way, since the first time I saw PHP I immediately thought of the days when I was writing Active Server Pages on IIS4, because structurally it is so similar - and now we all realize the similarities on the security side (or lack thereof) as well.

Being a code monkey myself... (1)

toadlife (301863) | more than 7 years ago | (#17233506)

...I must ask what you mean when you said PHP and ASP are "structurally similar". I'm assuming you mean vbscript, (as an ".asp" page can actually be written in many different languages), and I don't see much similarity between them, at least as far as their syntax.

Re:Being a code monkey myself... (1)

FooAtWFU (699187) | more than 7 years ago | (#17233554)

I think it's more like the:

<html><body><h1>HTML page</h1>
<? echo("<p>Hello!</p>"); ?>
<% Response.write("<p>foo</p>"); %>
</body></html>

embedded-code-via-fancy-tag business.
(And, well, so much for logic/presentation separation...)

Re:Being a code monkey myself... (1)

toadlife (301863) | more than 7 years ago | (#17233690)

Ok. Since the only two web scripting languages I've ever used were php and asp/vbscript, I had never considered that obvious similarity.

Re:Being a code monkey myself... (1)

Shados (741919) | more than 7 years ago | (#17233560)

The similarity is in the templating system. How you integrate code between tags inside an HTML template.

That has been the demise of ASP, in my opinion. ASP, by design, is supposed to be the "glue" between COMs, not actualy be used as the language itself, like PHP. Tons of ASP apps have been written using the PHP architecture, because it is "possible", and it simply doesn't work well there. Fortunately, ASP.NET fixed that...almost. Now we have all the noobs writting all their logic in the code behind instead ::sighs::

Anyway, just to confirm what toadlife is saying. PHP and ASP only look similar to the untrained eye. The architecture and the way they are meant to be used is TOTALLY different.

Re:PHP reminds me of IIS4 (0)

Anonymous Coward | more than 7 years ago | (#17233730)

The real problem seems to be a scripting language being too easy, so that anyone without any clue about security can get something that seems to work exposed on the internet.

Much of the PHP and Classic ASP "code" I've seen was garbage. I'm not saying all of it is garbage, but an awful lot of it sure is.

No language can prevent n00bs from creating SQL queries via string concatenation (vs prepared statements/parameterized queries) and such.

Not that PHP is a well designed scripting language nor that it's secure (I think it's trash), but either ways the main problem is with the people using the technology.

You don't typically see insecure code like that in programs made in languages where people actually have to learn programming before they can use it... Making something too simple might be a mistake sometimes.

Re:PHP reminds me of IIS4 (1)

mixnblend (1002943) | more than 7 years ago | (#17233922)

"we don't want to do any scripting; we just want to make PHP web pages"

Well, theres pretty much all the justification you need for not giving them access right there...:)oh nice usage of the semi-colon by the way, such an under-utilised form of punctuation in this day and age:)

The basic fact of the matter (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17233418)

Is that PHP is an out of control heap of junk. Only a complete idiot would put it on a server with an internet connection. Not to mention that the language itsel is possibly the worst ever devised. I doubt a single competent person has ever been involved with its "design".

Open source is the issue (3, Funny)

Anonymous Coward | more than 7 years ago | (#17233484)

It's widely acknowledged that open source programs are inherently insecure. Whether the cause is the availability of the "internal blueprints", the free-for-all repository commit access, or the rampant theft of patents, one wonders. By contrast, Microsoft's .NET platform, including the widely praised C#, doesn't have this problem. The guarding of the internal source code, the standards-adhering developers, and the rock-solid legality of its software patents gives Microsoft an advantage versus the haphazard "open source" languages like PHP and Java. One wonders if this is a harbinger of future defections in the open source language camp. Speaking as a patent lawyer, I advise all developers to switch to .NET and Microsoft's enterprise-class C#.

Re:Open source is the issue (1)

The Bungi (221687) | more than 7 years ago | (#17233512)

I've always had a problem with the "LOLOL M$ SUXX" crowd, but this is stupid. The Apache code is also available, and it doesn't have these problems. The problem is the basic design of PHP, compounded by the large number of "developers" that have taken it up as the language du jour instead of using better-designed platforms like Python, Ruby or Java. Or yes, any of the .NET languages and ASP/IIS.

As I finished typing this I realized I'm probably feeding the troll ("patent lawyer", right) but oh well...

Re:Open source is the issue (0, Troll)

man_of_mr_e (217855) | more than 7 years ago | (#17233546)

The Apache code is also available, and it doesn't have these problems.

Have you noticed how many sever security flaws have been reported in Apache in the last few years?

Here's an exercise. Count the number of severe (or even not severe) flaws in IIS6 over the last 3 years, then compare that number to the number of severe (not even counting non-severe) flaws in Apache in the last year alone. Then compare the number of severe flaws in PHP this year and compare them to the total number of flaws in ASP.NET since it's inception 4 years ago.

Report back your results.

Re:Open source is the issue (0, Offtopic)

Almahtar (991773) | more than 7 years ago | (#17233704)

Bugs reported != bugs that exist, genius. Just because less bugs were reported for IIS doesn't mean there aren't as many or more: just that there aren't as many that are known and being worked on. Obscurity != securty, and anyone who actually knows information assurance knows that.

Re:Open source is the issue (1)

man_of_mr_e (217855) | more than 7 years ago | (#17233838)

You're forgetting that obscurity didn't prevent IIS 6 from being one of the most targeted services. Remember Code Red? Nimda? IIS was actively being probed and assaulted looking for flaws, and that didn't just stop. It stopped because IIS6 was basically rewritten from scratch and was configured by default in a secure way.

Maybe there are flaws waiting to be discovered, but it doesn't change the point I was making, which is that the original post I responded to claimed that Apache hasn't had security flaws, but it has.. lots of them. And compared to the competitors products, especially when that competitor is Microsoft... that's just crazy.

Re:Open source is the issue (1)

Henry 2.0 (1017212) | more than 7 years ago | (#17233548)

MOD PARENT UP!!! FUNNY

It's widely acknowledged that open source programs are inherently insecure.

hahaha - you sir, are a baboon.

I love when the lawyers come and mix it up with the /. crowd

Re:Open source is the issue (1, Informative)

Anonymous Coward | more than 7 years ago | (#17233574)

Very true. My company just won a large contract to convert an app from a LAMP stack to a .NET 2.0/SQL 2k5 stack.

What sold the client was the rock-solid reputation of the .NET stack compared to LAMP, as well as the fact that we can acheive more TPM then LAMP on the same hardware.

Hmm... (1)

Almahtar (991773) | more than 7 years ago | (#17233680)

I'd love to justify your arguments by actually addressing them, but they just don't deserve it. Instead I'll just say that you, sir, are an idiot.

Re:Open source is the issue (0)

Anonymous Coward | more than 7 years ago | (#17233772)

Lawyers are the issue. They are clueless ignorant unprofessional expensive amoral useless selfish people that have nothing better to do than whoring for Microsoft's money.
I, as a developer, recomend software companies stop hiring patent lawyers. ;-)

Re:Open source is the issue (2, Insightful)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17233964)

>open source programs are inherently insecure

Let's lock this person in a room with the OpenBSD developers.

Not a bad troll though.

Re:Open source is the issue (1)

timmarhy (659436) | more than 7 years ago | (#17234056)

"It's widely acknowledged that open source programs are inherently insecure" - FUD. don't feed the trolls. he has no valid point what so ever.

Re:Open source is the issue (2, Informative)

jasonwc (939262) | more than 7 years ago | (#17234144)

Perhaps I'm the only one that noticed, but I'm quite sure the parent was being sarcastic.

Actual announcement (4, Interesting)

kjart (941720) | more than 7 years ago | (#17233516)

Here's the announcement from the source himself, via his blog [php-security.org]. Based on that post I'd say he sounds pretty disgruntled with how his efforts towards security were received i.e. "he PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata"

XSS by default (5, Funny)

Anonymous Coward | more than 7 years ago | (#17233556)

When I looked at Zend's introduction to PHP, the first sample PHP program was Hello World, and the second was a cross-site scripting vulnerability. Right, I'm going to trust these people.

As a PHP user.... (4, Interesting)

MasterC (70492) | more than 7 years ago | (#17233584)

As a PHP user, I have attempted to better the thing by reporting what I think are bugs. I can't name a single one that wasn't closed with a WONTFIX and a terse, non-thankful "that is a feature, not a bug." I honestly have zero disbelief that those same programmers would turn against Esser when he blamed the language, not the user, for the security problem.

In particular, the late static binding issue (if B extends A then A::staticFunc() ran as B::staticFunc() is ran under class A not B). It's like how it took MySQL took a decade to get stored procedures and views despite many people asking for it. Many people complain about the late static binding issue but last I knew it was still "it's a feature, not a bug."

Regardless, thanks for your work Mr. Esser...

Re:As a PHP user.... (3, Funny)

Shados (741919) | more than 7 years ago | (#17233594)

non-thankful "that is a feature, not a bug."
Oh boy...Microsoft bought out PHP...

Re:As a PHP user.... (1)

Parker Lewis (999165) | more than 7 years ago | (#17233906)

I already did a lot of posts in the bugs.php.net, but always take too the "that is a feature, not a bug".

PHP ought to be forked (4, Interesting)

Jesus_666 (702802) | more than 7 years ago | (#17233978)

Someone should fork PHP and do a major rewrite. Drop features like HTML embedding, introduce properly defined packages and make all functionality available in both procedural and OO fashions. Clean up the function names so they're predictable. And make some of the more dangerous functions safer.
PHP could be turned into a decent general purpose scripting language if someone would fork it. Unfortunately that means that we'd need someone who knows the codebase, has time and is fed up with the current PHP development process. Maybe we could talk Esser into it...

MOD PARENT UP (1)

DoktorTomoe (643004) | more than 7 years ago | (#17234036)

Those are the times I wish I'd knew more C/C++ to support such a fork.

So long, I am currently switching most of my PHP projects to python (which is a PITA if you are used to php's mysql-handling and regexp-support..., but a major step towards a more reliable webserver enviroment). Unfortunately, clients tend to persist on PHP ("Build it, we'll find a 15-year-old scriptkiddy to do the support and extensions...")

Re:MOD PARENT UP (2, Interesting)

gbjbaanb (229885) | more than 7 years ago | (#17234176)

perhaps a better idea than forking PHP would be to add these desirable sections to python instead.

Then a php to python coverter, and then we could start to forget about magic_quotes and safe mode.

Re:MOD PARENT UP (1)

Jesus_666 (702802) | more than 7 years ago | (#17234208)

Unfortunately, Python and PHP have vastly different principles behind them and Python isn't everyone's cup of tea. If one would change Python to include those things most liked about PHP the result wouldn't be anything near what Python is supposed to be.

he just left a mailing list... (4, Informative)

aaronwormus (716976) | more than 7 years ago | (#17233702)

The "news" is that Stefan Esser unsubscribed from the security@php.net mailing list.

Stefan Esser will continue to work on PHP security through maintaining the Hardened PHP project [1] which is a patchset to PHP which enables some low level security features into the language, as well as the suhosin extension [2] for PHP which can be used without patching PHP and "protects servers and users from known and unknown flaws in PHP applications and the PHP core".

I am personally of the "full disclosure" security mindset, so if there was indeed an issue with the response time of the "PHP Security Response Team" then some outside pressure would be a good thing.

More about this on Zeev's blog [3].

[1] http://www.hardened-php.net/ [hardened-php.net]
[2] http://www.hardened-php.net/suhosin.127.html [hardened-php.net]
[3] http://www.suraski.net/blog/index.php?/archives/15 -Stefan-Esser-quits-securityphp.net.html [suraski.net]

LOL Hardened PHP (0)

Anonymous Coward | more than 7 years ago | (#17233728)

Developed by the guy who came up with the phrase "We had to burn the village in order to save it"?

Love the 'inexperienced programmers' excuse.. (4, Insightful)

cheros (223479) | more than 7 years ago | (#17233740)

Wow, stunningly insightful response "that's caused by inexperienced programmers". He's a clue: it doesn't matter what the origin of the problem is (other than to fix it longterm) - IT STILL NEEDS ADDRESSING. I got news for you: the concept of covering large security related cracks in code with prime bullshit is probably already patented by Microsoft.

Personally I would wonder if Essers' 'abrasive style' is not a result rather than a reason for not being listened to and if this flags up a major problem in the way PHP is coded and maintained I'm all for this move. There is no excuse for sloppiness.

So, the reaction discloses the attitude - seems Esser made the right move..

Not up-to-date on PHP security . . . (3, Interesting)

pembo13 (770295) | more than 7 years ago | (#17233782)

can someone explain how it is that the apperently consensus is that PHP is insecure by design, asside from just poor programming? Thank you.

Re:Not up-to-date on PHP security . . . (2, Interesting)

aaronwormus (716976) | more than 7 years ago | (#17233918)

The "PHP Way" has always been to give the user sufficient power to shoot himself in the foot. The benefit is that the language itself is not slowed down by "features" which exists only to keep stupid programmers from hurting themselves. There are projects (like hardened php and suhosin) which add these security features to the language itself. There have also been "features" such as register_globals, the Get/Post/Cookie quoting and safe_mode which were prone to attack when not used correctly.

Re:Not up-to-date on PHP security . . . (1, Offtopic)

nicklott (533496) | more than 7 years ago | (#17233954)

They, can't, they're all just curmudgeonly, aging perl hippies, bitter and twisted cos the web left them behind around the time of HTML 3.2. Viva la Revolution!

Re:Not up-to-date on PHP security . . . (4, Insightful)

gbjbaanb (229885) | more than 7 years ago | (#17234252)

One of the biggest 'problems' is the way PHP is generally executed as an apache module. You get a lot of shared webhosts that run php as a module, and so the apache user runs the code. Fine, except that if you want to give your PHP script access to your data, you're effectively giving it access to everyone else's data too. So features like open_basedir were added to restrict this.

Then there is features like safe_mode that turns off many system functions that an attacker could use to get round the other restrictions, and register_globals which is a feature designed to work around an inherently insecure system of passing variables to php pages.

and so on, and so forth.. possibly the biggest problem is the ease of coding it, the barrier to entry is so low you will attract coders who (to be polite) don't know as much as they could about programming. So you get a lot of PHP code that is poor quality, makes too many assumptions on things that they should have tightened up (eg, not initialising variables to prevent an attacker from passing them in with their desired values), or checking input to functions from the form or url.

Its the same issue as VB - it was so easy to code VB apps, my boss could do it. So he did. And they looked, performed and crashed as if a manager had coded them :(

PHP security is a disaster by design (2, Interesting)

Anonymous Coward | more than 7 years ago | (#17233840)

Variables are untyped, so if you do $a + $b, it's not clear what the result might be. Variables do not have to be declared before use, so if I have code like:

$authorized = callAuthFunction();
if(! $authoorized) logoutUser(); // note the misspelling
mysql_query("UPDATE account SET ...."); // you get the idea
Woops! Languages that have a permissive syntax make it easy for bugs to hide. And security flaws are just a particular subset of bugs. At a higher level, we have problems such as widespread use of direct DB access all over the place, instead of some kind of persistence layer, which results in likely SQL mistakes, and even injection attacks if the code isn't using correct pear DB. There's no true filter mechanism in PHP. There's no way to annotate objects as requiring a certain user-in-role. The whole thing is a big mess of C code and third party libraries, and there are good old fashioned C buffer overflow vulnerabilities in those areas too. Wee!

Re:PHP security is a disaster by design (0)

Anonymous Coward | more than 7 years ago | (#17233908)

Your example has nothing to do with strong vs. manifest vs. no typing. It has to do with the insanely braindamaged idea of automatic variable creation. PHP is just chockfull of this kind of incompetent 1st-grade bullshit. It's the worlds only programming language designed by functional retards.

Re:PHP security is a disaster by design (0)

Anonymous Coward | more than 7 years ago | (#17233986)

Languages that have a permissive syntax make it easy for bugs to hide

Which is why you should never use Perl, PHP or any similar language for anything really important, especially if it is a large and complex product the general public will have access to.

Re:PHP security is a disaster by design (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17234008)

Absolutely correct. PHP makes it so easy to create incorrect code, with no warnings, that it should never be used for public web sites. To fix PHP, they would need to introduce strong typing and mandatory declaration of variables. And pages should require compilation. And the "include" statement should be gone, replaced by another statement that does linking. None of those things would be huge changes and even junior-level PHP programmers could quickly learn these new rules. These changes would invalidate all existing PHP code but in the process of bringing the code up to the new standard, many many serious bugs would be shaken out. And there would be huge side-benefits for syntax-checking and development tools. It's obvious that this is the right thing to do, but the PHP team just doesn't understand much about programming languages or even good web application development.

Re:PHP security is a disaster by design (1)

solidox (650158) | more than 7 years ago | (#17234266)

Variables are untyped, so if you do $a + $b, it's not clear what the result might be.

There is a section of the manual which describes the behaviour to expect when types are mixed.
See... Type juggling [php.net]

You should always be developing with error_reporting(E_ALL|E_STRICT);
This would throw a Notice warning about the use of an undeclared variable when the code tries to access it.
Error reporting should more than likely be disabled for your production enviroment however.

(E_STRICT is PHP5, E_ALL on its own will still generate the Notice)

Here's an eye-catcher (4, Insightful)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17233904)

>bugs were sometimes not correctly fixed or were re-introduced. This was often not noticed because there was no test-rig for exploits and the idea of having one was categorically rejected.

If that's accurate, and if there wasn't some unimaginable compelling reason, any security person would be unhappy.

Zend guy has a good point (1)

pikkumyy (445891) | more than 7 years ago | (#17234012)

Just because the language is easy is no reason to (attempt) to make it idiot proof. Numerous crappy 'security features' have already been added to the annoyance of decent programmers. Making it more secure by design would only encourage sloppy programming, which already is a big problem.

In related news (4, Insightful)

MosesJones (55544) | more than 7 years ago | (#17234152)

Law makers in Texas are debating a bill to enable people to own nuclear weapons and heavy artillery and to remove safety catches from guns.

"All you should need is a great big red button that says 'Fire'" said Congressman Bobby Ewing "Its ridiculous that people are prevented from using these things and having to put up with safety devices it just encourages sloppying thinking"

"By letting people launch nuclear weapons with a big red button we are making sure that everyone is aware of how to properly care for their nuclear weapon and that it is their god given right and responsibility to fire it carefully" said some bloke in a hat "I'm fed up with all the ridiculous procedures I have to go through to fire a gun, let alone blow up France just because a few bleeding heart liberals feel they need to protect stupid people in New Hampshire"

In related new Iowa has banned the use of indicators, roll cages, air bags, crumple zones and seatbelts as it gives people too much sense of security. California has banned the use of door and window locks and the use of burglar alarms as they make houses "secure by design".

Secure by design is the only type of security that really counts.

Let me guess ... (0)

Anonymous Coward | more than 7 years ago | (#17234026)

"PHP Security Expert Resigns, cites own incompetence as reason".

Re:Let me guess ... (0)

Anonymous Coward | more than 7 years ago | (#17234106)

check out his blog. he doesn't seem that incompetent to me. he has created a patch set for php to harden it.

No bad dogs, only bad owners (2, Informative)

ajs318 (655362) | more than 7 years ago | (#17234166)

A bad worker blames their tools and a bad boss blames their workers.

There's no denying that PHP has things wrong with it. It started out as a bastard son of Perl, tried to be a bit more n00b-friendly and tripped over its own cleverness. The beauty of Perl is its very inconsistency. The functions you use most have the shortest names, and there is no need to clutter things up with unnecessary brackets around arguments. Regular expressions, which you are going to use all the time, have a distinct syntax. Number and string data types can be interchanged with such wild abandon, there have to be separate operators for addition and string concatenation (JavaScript, I'm looking at you). There are constructs to populate arrays quickly. All things are subordinate to the goal of letting a programmer get a job done. Easy things are easy, hard things are possible. Perl is so broad-minded, it even has the Principle of Equivalence built in!

PHP lures you in, with obviously_named_function($par1, $par2) ..... then trips you up with anotherobviouslynamedfunction($par2, $par1). You could say it's not all PHP's fault, as the functions originate from different shared libraries, and PHP is only providing an interface to them by their original name and with something like their original syntax. But it still smacks of laziness on the PHP developers' part. Short aliases for commonly-used functions (a context-sensitive editor can always expand them for the benefit of the anal retentive), and differently-named work-alikes for functions that take their parameters in a different order than you might expect, wouldn't have hurt. Would they?

Still, you've got two choices, I suppose. Learn to put up with the idiosyncracies or learn another language. And never forget the Principle of Equivalence; "All Means to the same End are equally valid", nor its corollary, "Means which are not equally valid serve different Ends".

If he returns to the PHP after discussions (3, Funny)

maroberts (15852) | more than 7 years ago | (#17234184)

Would a suitable headline be "Goaded, Esser Back"?

Apologies to Douglas R. Hofstadter

Php weirdness (0)

Anonymous Coward | more than 7 years ago | (#17234230)

PHP is interesting.

Can anyone explain why the following code:

echo print("2"). 3 . print("4");

Results in the following output: 42311
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...