[WEB SECURITY] AT&T exposes /etc/passwd , bad php

Mon Jul 27 22:55:09 EDT 2009

You are a man (?) after my own heart re: Ultraedit & macros auditing of source.

There has been a significant amount of work done over @OWASP regarding
secure coding in PHP. Cue Andrew Van Der Stott.

I agree that PHP by default makes it easy to shoot yourself in the foot.

C# and the .NET framework probably make it the hardest to shoot
yourself in the foot. Java is a little better, but you have to reach
out for 3rd party frameworks and APIs like ESAPI to make doing a good
job easy(ier). I rarely ever see directory traversals in C#/.NET and
Java apps, thought I found a major one in .NET (due to
canonicalization and mis-ordered authorization) back in 200/2 or /3.
Haven't seen one like that in the six years since.

This said: I have seen a few folks do a decent job coding securely in
PHP. See above.

Ultimately I think choice of language and framework is a business
decision, and I try not to tell people what they should have coded
things in. I don't find this very productive (unless they ask, from
the start). There are sound business reasons someone might choose
PHP/LAMP.

So now we are way off topic,

-- 
Arian Evans

On Mon, Jul 27, 2009 at 6:43 PM, Matt Parsons<mparsons1980 at gmail.com> wrote:
> Dee,
>        I agree insecure code is insecure code.  If you don't validate input
> it can be bad and therefore insecure in any language.  That is secure coding
> 101.
>        I have completed source code reviews in Java and .NET and there are
> many more resources available to write secure code in these languages.   PHP
> being a scripting language is more insecure.  In my career, I have scanned,
> using an unmentioned vendor neutral, static code analysis vendor for
> thousands of LOC in PHP.  I have also completed hand audits of PHP code
> using ultraedit.  Just the functionality of echo introduces a whole new
> realm of XSS vulnerabilities never mind the one with the directory traversal
> attack at AT&T.
>        I think PHP security is new practice and standards need to be put in
> place to write PHP securely.  Does anyone disagree with me?  Does anyone
> have experience writing PHP securely and doing source code reviews in PHP?
>
> Thanks,
> Matt
>
>
>
> Matt Parsons, CISSP
> 315-559-3588 Blackberry
> 817-238-3325 Home office
> mparsons1980 at gmail.com
> www.parsonsisconsulting.com
>
>
>
>
> -----Original Message-----
> From: Dee [mailto:damien.watson at gmail.com]
> Sent: Monday, July 27, 2009 8:21 PM
> To: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] AT&T exposes /etc/passwd , bad php
>
> 2009/7/28 Matt Parsons <mparsons1980 at gmail.com>:
>> Personally, I would have written the application
>> in a language that is a bit more secure like .NET or Java.
>
> And you can still fail to validate data at the relevant boundary in
> .NET and Java.
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA