On Thu, Jun 19, 2003 at 07:20:37PM -0500, David Phillips wrote:
> Oh, it's ok then, because everything has security holes.  Gee.
> 
> It's not difficult to write a nice message board that doesn't have security
> holes, especially in a language like PHP.  I wrote a good one about three
> years ago (clone of Allaire Forums).  Perhaps I should tidy it up and
> release it as open source.
> 
> If you have security holes in your PHP application, then you're doing
> something seriously wrong, and should learn about basic security before
> attempting writing web applications.

Most people using PHP do so because they wanted to learn the easiest thing
out there, and they heard PHP was it. These people have no idea what
security is, or how anything really works, this is why I'm skeptical about
anything written in PHP. 

Sometimes the security hole is in PHP itself, and is exploited via your
'program' due to it using whatever function is vulnerable.

Just like Apache can have an exploit due to a bug in openssl, or strace
can have an exploit because of a bug in the kernel. 

Programs rely on libraries and the kernel itself, you can't guarantee
anything unless you know every bit of code your program intereacts with 
or depends on is bug free.

There are also circumstances where something that was once fine becomes
a 'bug' due to new functionality(or bugs) added elsewhere (see above)

As for your PHP message board, If you have it running on the same system 
it was 'about three years ago' then it's vulnerable. You must be doing
something seriously wrong, and should learn some basic security before
attempting writing web applications.

strcpy and gets were once considered fine functions as well.

-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list