[SATLUG] The web page
Tom Weeks
tweeksjunk2 at theweeks.org
Thu Dec 1 20:28:42 CST 2005
On Thursday 01 December 2005 01:27, Bruce Dubbs wrote:
> Tom Weeks wrote:
> > My only suggestion is to stay away from PHP based solutions.. Too many
> > vulnerabilities.
>
> I've not heard much about this. Are you saying that the language is
> inherently vulnerable or that the people who use php don't know how to
> do it securely?
It's a little of both...
Some actual PHP problems:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2004-1018
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2004-1063
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2004-1064
with more detailed in overview link below...
As for poor PHP App programming, vulnerable PHP web suites is one of the
biggest ways, nowadays, that active content web servers are being hacked.
Rackspace saw a rash of hacked phpBB sites due to the inherent
vulnerabilities of that particular suite. Other PHP based community packages
such as vBulletin and CivicSpace also have major vulnerabilities. But phpBB
is particularly famous for very sloppy and insecure coding (in code like nor
infamous viewtopic.php and auth.php code).
> Do you have any references?
Here's a good overview of some of the PHP package attack vector highlights
from this year:
http://www.cert-in.org.in/advisory/ciad-2005-07.htm
Just be careful, research the security of the various community portals or CMS
suites that you're looking at, including the security history of each.
You might also want to ask your Rackspace support team which packages that
they've seen the most customer success with, as well as those with the most
compromises.
Tweeks
More information about the SATLUG
mailing list