That's why I've actually chosen to stick with Perl cgi for my needs. Security and the fact that cgi or Perl is stable and not likely to break which really hasn't been the case with the PHP upgrades. Plus to some extent I think PHP being easier attracts less skilled programmers which also leads to this problem. My 0.02.
On 7/5/05, Post, Mark K <[EMAIL PROTECTED]> wrote: > This type of problem is unfortunately all too common with PHP. The PHP > developers seem to have real problems with writing secure code. So much > so that some commentators have recommended completely avoiding the > package. > > > Mark Post > > -----Original Message----- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of > Jim Knox > Sent: Tuesday, July 05, 2005 7:39 AM > To: [email protected] > Subject: PHP-based Content Management Programs Under Threat > > > For those running some of the more popular content management systems > (php based), there is a security warning announced here: > > http://www.phpmag.net/itr/news/psecom,id,22674,nodeid,113.html > > fyi...........................Jim > > > > > 05.07.2005 > > Popular free and open source blogging, wiki and content management > programs face a security threat in the way PHP programs handle XML > commands. According to James Bercegay, researcher at GulfTech Security > Research <http://www.gulftech.org/> who found the flaws, an attacker can > compromise a Web server through a security hole in the XML-RPC function. > > In two PHP libraries, PHPXMLRPC and Pear XML-RPC, the flaw allows > applications to exchange XML using remote procedure calls and fails to > check incoming data for malicious commands. Bercagay said the level of > the threat was "high risk" and affects popular PHP programs such as > PostNuke, Drupal, b2evolution, TikiWiki and others. The PHP libraries > have been updated, and are available for download. For developers who > cannot upgrade to the new libraries, disabling the XML-RPC functions has > been a recommended solution. > > PEAR XML_RPC 1.3.1 upgrade can be found here > <http://pear.php.net/package/XML_RPC/download/1.3.1>. The PHPXMLRPC > upgrade can be downloaded here > <http://sourceforge.net/project/showfiles.php?group_id=34455&package_id= > 26601>. > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, send > email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or > visit http://www.marist.edu/htbin/wlvindex?LINUX-390 > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- If it weren't for an American pointing a gun at the bad guys, you'd be a helluva lot worse off. -Barbara Boxer ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
