http://www.php-security.org/
PHP je jedna sigurnosna rupa bez dna, IE je milost božja prema njemu.
Jedan moj frend je ne tako davno fuzzerom (perl skriptuljinom od jedno 50-ak linija koda) otkrio 20-30 PHP rupa:
http://www.infigo.hr/hr/in_focus/advisories/INFIGO-2006-04-02
Uočite one dijelove:
Citat:
Code audit of the PHP discovered more than 20 vulnerabilities in PHP4 and PHP5.
Most of them were reported by third parties and fixed before publication of this
advisory. However, several vulnerabilities are still present in the latest PHP
version
...
No fix is available after more than 45 days from initial vendor contact.
Inače, ovaj lik Stefan Esser, idejni začetnik ovog projekta, je itekakva
čunka po pitanjima PHP sigurnosti:
Citat:
Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left).
Svojedobno, kad je napustio PHP Security Response Team,
rekao je da je popravljanje PHP sigurnosti "iznutra" potpuno jalov proces:
Citat:
Stefan Esser, PHP security specialist and member of the official PHP Security Response Team has, he says, had enough - in his blog he has announced his immediate resignation from the PHP Security Response Team. He states that he has various reasons for doing so, the most important of which is that his attempt to make PHP safer "from the inside" is futile. According to Esser, as soon as you try to criticise PHP security, you become persona-non-grata in the security team. In addition many of his suggestions were ignored because the developers considered Esser's choice of words, too abrasive. He says that he had stopped counting the number of times he was called a traitor when he published a bug report on a vulnerability in PHP.
Na svu sreću, postoje i PHP implementacije na
superiornijim platformama, pa možete npr. postavljati i
CAS polise nad PHP aplikacijama :)