PHP Vulnerabilities Announced
Simone Klassen writes "The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."
But, Microsoft has the luxury of being able to pay people to look for flaws.
PHP and every other OSS project just sort of sits around waiting for someone to come along and volunteer to do so.
If HPHP hadn't come along, noone would be looking, and the vulnerabilities would go unpatched.
Do you ever sit there going over thousands to millions of lines of code that someone else wrote, looking for obscure flaws? It's the kind of boring thankless job that noone would do unless they were paid to. HPHP found them as a side effect to doing something else.
The very fact that there's a need for a seperate "Hardened PHP" project or "SE Linux" project should say something about the stability and security of those projects' bases. If linux was so secure and unhackable, why did the NSA spend so much money rewriting it? If PHP is so enterprise-ready, why would people try to create a "hardened" version of it?
I don't need no instructions to know how to rock!!!!
Wow, all that flamebait packed into one post. Kudos!
:-)
I mean, you're completely wrong and utterly ignorant, but nice post!
(OK, you're right about PHP. It does suck.)
It's a strange world -- let's keep it that way