PHP Vulnerabilities Announced
Simone Klassen writes "The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."
Most of these vulnerabilites come down to checking user input. If you are properly checking user input against a set of known good values and rejecting any input that is not a match, your chances of being vulnerable decrease dramatically.
Yes, I'm a big fan of php, but like any language out there, there are vulnerabilites. PHP had a bigger problem with register_globals being defaulted to on. Not to make light of these vulnerabilities, but if you are checking user input (assuming you're not using a downloaded package) you should be pretty safe.
You do realise it's a SUBSET of the slashdot population complaining about ASP being garbage, and a perhaps different SUBSET taking OSS software bugs without complaint. There are NO double standards if you stop looking at Slashdot as one person with one brain and a million voices.
The prof I had for my DB class largely hates MySQL with a passion and is an Oracle partisan, but he looked one of the students in the eye and told them to basically shut up when they complained about MySQL versus Oracle. He told the whiner that they should be glad that it worked at all and that they have no right to expect any quality for something they didn't pay for. For some it was a profound statement: MySQL kinda works for you, well guess what, you haven't spent any money on it so who are you to bitch at the guys who work on it... they owe you nothing.
Products from Zend can be expected to perform very well, but not something that is free for public use. The fact that PHP is so high quality, open and free, gives it some leeway that Microsoft's ASP.NET implementation doesn't deserve. People don't have to spend several thousand dollars to setup an environment capable of hosting PHP because it's free, and all of the tools needed to run it are free.
None of this of course negates the fact that security holes in PHP are just as serious in practice as those in ASP.NET and need to be fixed ASAP. The difference is how we should perceive free software bugs versus commercial software bugs. When we actually buy a license for a commercial product, we should be able to expect something reasonably akin to top notch quality. Microsoft is getting better in that regard, but the level of quality they have delivered in the past is abysmal compared to what a commercial entity should be delivering.
By all reasonable expectations, a company like Microsoft should be delivering extremely secure products. They pay very large sums of money to hire some of the brightest minds, and they charge accordingly. Therefore the public has a right to expect extremely comprehensive testing, including OpenBSD-style line-by-line code audits for things like buffer overflows. Does it not surprise anyone that a small project like OpenBSD can find the time and manpower to do that on such a large code base for the manpower present, but Microsoft, a company with probably at least ten times the manpower for just the Windows team cannot?
Click here or a puppy gets stomped!