Stefan Esser retires from PHP security response team

Andy Wardley abw at wardley.org
Fri Dec 15 08:48:20 GMT 2006


Adrian McMenamin wrote:
 > How so? Surely that is a badly installed web server, not Perl for Hopeless
 > Programmers that is to blame?

I wasn't implying that the web server process runs as root. Rather that
PHP apps have traditionally come complete with security holes that can be
used to exploit and ultimately root a machine.

It's the low cost of entry that's mainly to blame. It's a Good Thing because
it puts the power to write web applications in the hands of people who
otherwise wouldn't have a clue where to start. But it's also a Bad Thing
because it puts the power to write web applications in the hands of people who
lack a proper understanding of the security issues, and in some cases even the
basic principles of good programming practice.

The same was true of Perl 10 years ago - witness Matt's Script Archive. It's
not that Perl is a "bad language" or that Matt was an inexperienced coder who
didn't know any better at the time. The real problem came from the fact that
it was so damn easy to upload these scripts onto your web server, holes and
all.  PHP takes this to the next level.

It reminds me of the motor car. Not because it has four wheels and goes "Broom
Broom" while chucking pollutants out the back end, but because low cost of
entry has allowed every damn fool to have one. And when every damn fool has
one, you've got roads full of people driving when tired, drunk, or applying
make-up in the rear-view mirror. In the end people get hurt or killed.

With great power comes great responsibility.  With PHP it's usually an
afterthought.

A



More information about the london.pm mailing list