-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At some point hitherto, Rodent of Unusual Size hath spake thusly: > "Derek D. Martin" wrote: > > > > I'll go one better than that. If you use PHP, STOP. They have > > security bulletins released about once a week, it seems (o.k. I'm > > exaggerating A LITTLE). About the only "vendor" with more frequent > > releases is Microsoft... > > Eh, I don't buy that. Please back it up with some references.
Ok, I'll back down partially in that upon review, many of the advisories I've seen I've mis-remembered; they were not actually PHP advisories, but for software written in PHP. However, just this year: http://online.securityfocus.com/archive/1/258995 http://online.securityfocus.com/archive/1/258662 http://online.securityfocus.com/archive/1/255037 http://online.securityfocus.com/archive/1/254846 http://online.securityfocus.com/archive/1/254005 http://online.securityfocus.com/archive/1/250196 Some of these are considered fairly minor, in that the vulnerability is a possible exposure of what may be considered sensitive info. Some of these are things that can be fixed by altering the configuration of PHP. The problem is that it shows a pattern of failing to think about programming security issues. There are also some earlier advisories which complain about the design of PHP encouraging the development of insecure code. It seems that writing secure PHP scripts is also very difficult, and there are quite number of advisories for software written in PHP, which are not necessarily the fault of PHP, but perhaps encouraged by the design of PHP. I stand by what I said: if you're using PHP, it is my opinion that you're better off from a security standpoint using something else. You have to worry about security problems in the software written using PHP, as well as those of PHP itself. For example, Perl has zero reported vulnerabilities over the same period of time, and only one report of a vulnerability in software written in it (a file disclosure bug caused by bad input validation). I personally don't feel that PHP has a track record that warrants confidence in the security of your web server, and possibly your network depending on other trust relationships with your web server. Better, mmore proven alternatives exist. - -- Derek Martin [EMAIL PROTECTED] - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hTj2djdlQoHP510RAm8OAJ4yr+92cqQvJCNDGCSkp3te6FPetgCguyTK ryHuvFBAT2fzm9K4vP9NCOs= =nuvP -----END PGP SIGNATURE----- ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
