Yeah I can personally attest to that, after spending a few months on the OSVDB as a mangler and developer, I quickly realized that the bevy of vulnerabilities we worked on everyday were primarily PHP based. Now granted setting "register_globals off" (which essentially prevents a user from overwriting variables in a page) will mitigate most of these vulnerabilities it was still alarming to see. Not to mention the fact that most people are spending their time looking for XSS or SQL injections, whereas the upward trend looked more like remote file inclusion vulnerabilities which are more dangerous to the host machine, rather than an unsuspecting end-user. Maybe someone can remind me of who said "Once the bad guy is running code on your machine, it's no longer your machine." :) JS
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Van Wyk Sent: Tuesday, December 19, 2006 7:33 AM To: Secure Coding Subject: [SC-L] PHP security under scrutiny Interesting article about PHP security: http://www.securityfocus.com/news/11430 Among other things, NIST's vul database shows, "Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006, up from 29 percent in 2005." Happy reading... Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
