| Re: Shocking amount of PHP security holes? [message #171123 is a reply to message #171077] |
Sat, 25 December 2010 22:34   |
Twayne
Messages: 135
Registered: September 2010
Karma:
|
Senior Member |
|
|
In news:z4-dnWZpZ8C28I7QnZ2dnUVZ_sqdnZ2d(at)giganews(dot)com,
Ignoramus30015 <ignoramus30015(at)NOSPAM(dot)30015(dot)invalid> typed:
> I have been looking at my apache logs, and I see a
> tremendous amount
> of queries that clearly are attempts to hack me.
>
> One typical example
>
> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET
> /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00
> HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0;
> SunOS 5.9 sun4u; X11)" my.site.com
>
> Many other examples about, where attackers try to override
> system
> variables with web-supplied parameters. Kind of overriding
> PATH or
> LD_LIBRARY_PATH variables to subvert setuid programs.
>
> My main question is WTF? Why exactly does PHP let remote
> web users
> override those variables?
>
> This situation is why I never permit php software on my
> servers, with
> exception of mediawiki. Even here I am very reluctant.
>
> I use another language to make websites, and in that
> language web
> parameters can be received by querying for them
> specifically, they do
> not clobber system variables.
>
> Can someone shed light on this, this question bugs me a
> great deal.
>
> i
Just like most any major programming language, PHP cannot interpret
when/where/how you're going to need "securty". It is up to YOU to write the
CODE to make you website secure, as with any other language. It's impossible
to interpret what will be needed for security tomorrow, let alone being hard
enough keeping up with today. Anything a language does contain becomes
obsolete often before it's released. W3schools.com and php.net will give you
a good job of learning how to handle security. And there are literally
thousands of sites covering the security coding for any language you can
think of. Just watch you don't pick a black hat.
HTH,
Twayne`
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]