Help answer threads with 0 replies.
Go Back > Blogs > unSpawn
User Name


Rate this Entry

PHP, aka Pretty Hosed Programming

Posted 01-11-2006 at 09:02 PM by unSpawn

If you've read the SANS Top 20 of 2005 ( there is a clear message with respect to deploying PHP-driven applications: be paranoid or be cracked. A short tour of a few vulnerability reporting sites show that with programmers who can't be arsed to follow the most basic principles of programming, who force users to run their app with all essential security features off and with undereducated users running apps without questioning this will be another wonderful year for your average cracker. And you don't even have to use a searchengine as first line of recon since some developers "proudly" show off a list of sites running their app + versions. How cool is that.

Just like some sources contain testcases, so should PHP come with it's own checking tools (no I don't mean all those publicly accessable phpinfo, analyze and security pages). And if PHP developers or application programmers can't be taught to practice Safe Hex, then at least we need our own general auditing tool for PHP-driven deployment (like the Castelcops PHP-Nuke thingie). If not as standalone tool, then I think possible targets for inclusion could be Chkrootkit, Rootkit Hunter (nice piggyback, since popular, but probably out of their scope), Tiger, LSAT (Number9, not Mixter's).

Now how to find someone with the time to make a start with such an addon?..
Posted in Uncategorized
Views 2091 Comments 0
« Prev     Main     Next »


All times are GMT -5. The time now is 11:39 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration