Feeds

back to article PHP.net breach: Concern over safety of source code

Maintainers of the PHP programming language spent the past few days scouring their source code for malicious modifications after discovering the security of one of their servers had been breached. The compromise of wiki.php.net allowed the intruders to steal account credentials that could be used to access the PHP repository, …

COMMENTS

This topic is closed for new posts.
Silver badge
Black Helicopters

Paranoia?

Okay, it could be the Chinese government, but couldn't it just be a good old fashioned because-I-can hack?

5
0
FAIL

Paranoia!

So the Chinese governemnt tries to infiltrate open source software? Must be desperate.

Well, I wonder what standards for code audits Microsoft and Adobe have... "What could possibly go wrong!"

0
6

Yes, yes, here is a title.

PSST. You did notice that 2 different open source vulnerabilities were used in this attack didn't you? How's that open security audit treating you?

(I'm not dissing open source of course, just pointing out the log in the eye of the above poster.)

I'm guessing that they are doing what every code repository does(or will do) when something like this happens. Scrambling like mad to figure out what happened, what got changed and what can be done to improve processes. Oh, and blamestorming.

Other repositories should be tightening up their knickers right about now also. If they aren't too late already.

When will people learn to be OS (and even corporate) agnostic?

4
1
Alert

passwords and php.net

The whole php.net infrastructure is fragile. Take a look at the php-web repository in svn and related repos.

To authenticate users, cookies are used with the base64(user:pass), transmitted over cleartext. php.net hosts are authenticated by master via a token which is transmitted and the md5sum (available in the repo) is then compared. Some of the hosts can access scripts that dump the complete users/passwords list of php.net accounts.

Scary enough?

0
0
Flame

PANIC! PHP isn't secure!

Seriously, it was always a crap language. Modularity added as an afterthought, too late, so nobody uses it. A bazillion ways to do things. Not a good recipe for security. Add in all the clueless WordPress (etc) admins, and you have... malware infestations galore. It's outta control.

2
10
Anonymous Coward

Back to your help desk, troll.

"Modularity added as an afterthought, too late, so nobody uses it."

PEAR? PECL? Apache hooks? People use those. Some of us even write our own. When we have time to waste on C. Or did you just mean in the language itself? The proliferation of frameworks would put the lie to that claim. Perhaps you're referring to namespaces. Surprise! Recent feature not yet widely adopted!

"A bazillion ways to do things."

And I recall the C++ tards recently touting "enough rope" as a positive.

"all the clueless [...] admins"

Yes. Let's blame stupid webmasters on PHP. It's not like we had any of those before PHP.

"malware infestations galore. It's outta control."

Infestations that target software written in C, C++, Java, Python, etc, etc. I guess all those SCADA systems were written in PHP. No? ...

3
1
Bronze badge
FAIL

re: PANIC! PHP isn't secure!

PHP isn't secure. Look, I'll program in damn near anything. PHP is the most insecure.

Take a look at major corporate websites (5,000+ employees). There's a reason why they don't use PHP.

My major gripe with PHP is that it doesn't support Application variables. Application variables are a godsend if a website is under attack and the database is down.

I know, I know, there are PHP zealots out there who will accuse me of blasphemy. The truth is, for the most part it's not the programming language, it's the programmer behind the language that's the most important. BUT, in the case of PHP, it is simply missing features that you find in ASP.NET, ASP, Python, etc.

Case in point - the people behind the PHP language can't secure their own PHP application. The people who are responsible for the language forgot to put security features in their application. What security features did they forget to put in their language?

Please vote this post down if you are a mindless PHP drone.

0
1
Anonymous Coward

Mindless anti-PHP drone

"PHP is the most insecure."

You back up this point by talking about ... missing features.

"Take a look at major corporate websites (5,000+ employees). There's a reason why they don't use PHP."

Citation needed. How many of them use Python? How many of them ... have been aggressively sold the Microsoft package? How many of them have been using Perl since ... forever and are unlikely to change ... ever?

"My major gripe with PHP is that it doesn't support Application variables. "

Really? If you can't get it together to implement this yourself, I hate to think what your caching strategy is like. But when your database goes down, what exactly is it your serving up to your site visitors? "You are the 100th visitor since our database went down".

"BUT, in the case of PHP, it is simply missing features that you find in ASP.NET, ASP, Python"

Missing features lead to poor security? I thought it was too many features leading to poor security. Yeah, PHP has no ViewState. The horror.

"Case in point - the people behind the PHP language can't secure their own PHP application."

I sincerely hope the PHP devs aren't responsible for maintaining the website. Division of labour and all that.

"The people who are responsible for the language forgot to put security features in their application. "

The people who are responsible for the language didn't write dokuwiki (which doesn't use a DB by the way).

0
1
Bronze badge
WTF?

Re: Mindless anti-PHP drone

> You back up this point by talking about ... missing features.

Exactly!

> Citation needed. How many of them use Python? How many of them

> ... have been aggressively sold the Microsoft package? How many of

> them have been using Perl since ... forever and are

> unlikely to change ... ever?

None that I can find or have audited are using PHP. Few major corporations (5000+ employees) are using Perl, either. In a corporate environment where there are many programmers, high level languages are required (ASP.NET, Python, etc.) You are welcome to find a bunch of major corporations (5000+ employees) and prove me wrong.

>> "My major gripe with PHP is that it doesn't support Application variables. "

> Really? If you can't get it together to implement this yourself...

Um, you can't implement Application variables in PHP because THE FEATURE IS MISSING. Using a database or filesys wastes resources. Look, if your website is under attack, cycles count. Being able to remove the assailant cross-platform with one instruction is vastly more secure and powerful than a bulky workaround that wastes resources with a dozen instructions AND either a database or filesys connection.

I also use Application variables to cache common page areas across sessions. Again, just one EFFICIENT instruction.

Oh, I forgot to add - PHP seems to be the hacker language of choice for widdle kiddles looking for login pages to hack. I see these silly children scanning my website for hundreds of non-existent PHP pages. I never, ever see them scanning my website for ASP.NET or Python pages.

0
0

re: PANIC! PHP isn't secure

"Take a look at major corporate websites (5,000+ employees). There's a reason why they don't use PHP."

To be fair, although security is likely an issue as to why you don't see online banking software written in PHP, I think the reason major corporations don't use PHP is because of a historical lack of decent development tools, which makes things like refactoring rather difficult. The lack of strong typing also makes it more difficult for large teams to work on different parts of the application.

Also, vendor recognition was another big issue. Java and .NET are firmly entrenched as the corporate language of choice because most large corporations were already doing business with Microsoft and Sun at the time the Web exploded onto the scene. Keep in mind that during Sun's prime, and before the explosion of Linux on the scene, over 70% of Fortune 1000 companies were Sun customers.

1
0
Anonymous Coward

You're in management. Right?

> > You back up this point by talking about ... missing features.

> Exactly!

If PHP is insecure because it doesn't have application variables, then so is perl, and ... well most languages. Keep missing the point as to why some stacks (!) have them and some don't.

> None that I can find or have audited are using PHP. Few major corporations (5000+

> employees) are using Perl, either.

So you're arguing that perl is insecure again. And ... well most languages.

> > Really? If you can't get it together to implement this yourself...

> Um, you can't implement Application variables in PHP because THE FEATURE IS MISSING.

Wow. You implement the stuff that isn't there. Failest. In the context of a LAMP stack, one can implement app vars in PHP using a shared memory module, or with an Apache module. Sure, it's a bit of work. But no language fits every hole. Not even Java.

> Using a database or filesys wastes resources.

Memory?

> I also use Application variables to cache common page areas across sessions. Again, just

> one EFFICIENT instruction.

You cache big chunks of HTML in memory? I'm guessing you don't build sites or apps for small businesses.

> Oh, I forgot to add - PHP seems to be the hacker language of choice for widdle kiddles looking

> for login pages to hack. I see these silly children scanning my website for hundreds of non-

> existent PHP pages.

You seem not to have noticed the argument about the number of PHP web apps and frameworks.

And ... "my website". That's kind of telling. What happened to the "audits"?

0
0
FAIL

Let me count the ways...

Gee, let me count the ways I can access your PHP code. If it's Windows anything, I can just login to the server and xcopy it. Just boot into Safe Mode on most machines, no account required.

Seems like paranoia. Say if an employee copies it and hides his tracks? Sure it seems like 'magical' access, but it's not.

In other words, it sounds more like social engineering than anything else.

0
6
Anonymous Coward

So your point would be ...

... that Windows is insecure? Windows wasn't written in PHP by the way.

1
0
Paris Hilton

The title is required, and must contain letters and/or digits.

I think the OP is somehow failing to grasp the concept of computing beyond the desktop...

0
0
DJV
Happy

Actually...

I think the OP is failing to grasp <insert anything you like here>

5
0
FAIL

Passwords?

"...maintainers are forcing password changes for all accounts with access to the source repository..."

Oh dear. They appear to be relying on passwords to provide security.

1
3
Anonymous Coward

Well ...

... one might argue that simple password access to a code repo is too near the usability side of the usability-security spectrum.

1
1
FAIL

And yet there are people...

And yet there are still people who want to claim PHP does not have inherent security problems / does not make securing sites notoriously difficult. Sorry, but when the PHP Group itself can't even secure its own site? Yeah, your technology has security problems.

0
1
Anonymous Coward

Which people?

"And yet there are still people who want to claim PHP does not have inherent security problems"

All languages have inherent security problems.

"Sorry, but when the PHP Group itself can't even secure its own site?"

The language developers probably aren't responsible for the website ...

0
0
Thumb Down

PHP Security

@BillG, Jodo Kast, various ACs

Ummm ... PHP wasn't the problem. I will allow you to go back and re-read the article and its attendant links, if you like, prior to calling you complete idiots.

Look especially hard for the systems that were compromised in this hack ... and please, if you see "PHP" in there, somewhere, clean your glasses and look again.

Thanks. Complete idiots.

0
2
FAIL

re: PHP Security

And yet you are the one that has to resort to name calling... Interesting how that works. If you go back and read the article, you will notice that the exploit was in DokuWiki. Which, you guessed it, is written in PHP. So maybe you are the one that needs to go back and read the article before you start calling other people names?

In 2009, over 60% of vulnerabilities reported in Web applications involved PHP. That's not to say that all of the vulnerabilities were in PHP itself. But over 60% of the vulnerabilities were in PHP applications. Granted, PHP is a popular language. But it is not *that* popular that it can explain such a huge discrepancy.

So there are a couple of conclusions we can come to. Either, PHP developers, including the ones that work on some of the most popular and complex PHP applications out there, are simply bad or careless programmers. Or we can conclude that PHP has inherent problems that make writing secure PHP code much more difficult than it is in other languages. So difficult, that even talented programmers have a very hard time doing it.

We already have evidence to support the idea that PHP has problems with security. For example, PHP's much maligned "safe_mode", which was in fact, not safe at all, and was trivial to bypass. Or PHP's so called "magic quotes" which was supposed to protect against SQL injection attacks, but in fact, did not. And of course, one of the prominent PHP security team members, Steffan Esser, resigned out of frustration because he claimed that the PHP team was not taking security seriously, and would rather just always blame the developers, rather than fix what he had pointed out were obvious security issues with PHP.

Most of the security issues that have plagued PHP since 2004, according to OWASP, have been executable code injection attacks. The simple fact is, these kind of attacks are rarely a problem in many other Web app technologies, such as Java.

There is plenty of evidence out there to support the concern that PHP is inherently much more difficult to secure than many other web technologies.

1
1
FAIL

Anonymous Language Troll

"And yet you are the one that has to resort to name calling... Interesting how that works. "

Zealot? Mindless drone? That's name-calling. But let's not descend to "he said it first".

"In 2009, over 60% of vulnerabilities reported in Web applications involved PHP. "

Citation needed. And of course, we all know about reported vs actual. I do hope you're not someone who ever denies that argument's validity against open source software. It's hard to tell, what with you being anonymous and all ...

"That's not to say that all of the vulnerabilities were in PHP itself. But over 60% of the vulnerabilities were in PHP applications. Granted, PHP is a popular language. But it is not *that* popular that it can explain such a huge discrepancy."

Okay, data boy. You've put together half the equation there. Exactly how popular are PHP web apps compared to non-PHP web apps? You've no idea, have you?

Google some product names. 684,000,000 hits for vBulletin, versus ... well ... I can't actually think of any popular ASP.Net forums. Yabb gets 11,000,000. Struggling to find any sizable figures for any non-PHP forum software really.

"So there are a couple of conclusions we can come to."

No there aren't. You have an incomplete data set.

We could conclude that if you wanted to hack windows boxes, you don't need to look for holes in some .NET forum software that no-one's ever heard of and that may or may not be installed. If, on the other hand, you want to hack Linux boxes, you might be well-advised to look for holes in widely-deployed software and privilege escalation exploits.

It would be interesting to know where you come down on arguments like these in the open-vs-closed source arena. But again, being anonymous and all ...

"We already have evidence to support the idea that PHP has problems with security. For example, PHP's much maligned 'safe_mode', which was in fact, not safe at all, and was trivial to bypass. Or PHP's so called 'magic quotes' which was supposed to protect against SQL injection attacks, but in fact, did not."

Magic quotes. Really? Fail.

"Steffan Esser, resigned out of frustration because he claimed that the PHP team was not taking security seriously, and would rather just always blame the developers, rather than fix what he had pointed out were obvious security issues with PHP."

Stefan Esser: 'I am quite sure that most servers are hacked through PHP application vulnerabilities and not through vulnerabilities in the PHP core.'

"executable [sic] code injection attacks"

What? Like XSS? Perhaps you meant remote file inclusion. Enough rope and all that. Or buffer overflows. The rejoinders to such hand-picked cherries are boundless.

But, you know, turn off allow_url_fopen and your problem is gone. What's that? Java doesn't protect you against stupid configurations either?

"There is plenty of evidence out there"

There is plenty of bile and waffle out there. A lot of it on forums powered by PHP. I see OWASP still runs a PHP Wiki ...

0
1
FAIL

re: Anonymous Language Troll

Ok. My number was off. It was 45%. Not 60%. According to NIST. I'll admit when I am wrong.

"Google some product names. 684,000,000 hits for vBulletin"

That just means that vBullitin is a popular application. it says nothing about how many applications are written in PHP.

As far as open source vs. closed source. I strongly support open source. But that doesn't mean that I want the world seeing all of my server side business logic, something that I believe happened to FaceBook back in it's early days (or was it Digg?) after hackers found an exploit, got the Web server to send back the raw PHP code, and then posted it for the world to see? And something, I might add, would not have been possible in a language like Java because your code is not stored in a Web accessible directory.

As far as "executable code injection attacks", I don't mean XSS attacks (which obviously are a problem in any Web technology). I mean things like remote file inclusion, or executing shell commands on the remote server, or PHP code that gets executed through the use of eval, and so on. Granted, these should be easily avoidable. But for some reason, they are very common in PHP.

It's true that Java doesn't protect you against stupid configurations. But it's also true that out of the box, Java app servers are not nearly as stupidly configured as a default install of PHP is.

Stephen Esser: "I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP’s security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin."

Of course, the PHP team instantly demonized him and said the reason he actually left is because he couldn't get along with the rest of the team.

1
0
Anonymous Coward

More

I would also add that from the beginning, Java encouraged the use of safer design patterns, such as the front controller design pattern, which gives only a single point of entry into your application such that all requests have to go through a dispatcher that then routes them to the proper page / controller. PHP on the other hand, encouraged very sloppy design and multiple entry points, which not only made code harder to maintain, but reduces security as well.

I would like to think that most PHP developers have moved beyond that now and adopted design patterns such as the front controller. But these types of design patterns have also proven somewhat difficult in PHP because of performance reasons. Look at Zend's relatively dismal performance after all.

1
0

Guns don't kill people

I've been developing in PHP for several years now and I'll happily admit that it's not the greatest language - it feels like it's been stuck together with sticky tape and bits of paper. Why use it? It's everywhere, and it's easy to find cheap hosting.

Its ubiquity is the reason why PHP is the language of choice for those operating out of Amateur Alley. A lot of the code you see is total rubbish and there is little attention paid to design principles. I can't say that the language is the problem here - if you have some idea about how to design software, it's quite ok. In the hands of someone who is driven by the quick and dirty approach to coding, it's a disaster.

0
0
Anonymous Coward

You're really not worth it.

"Ok. My number was off. It was 45%. Not 60%. According to NIST. I'll admit when I am wrong."

Citation needed.

"That just means that vBullitin is a popular application. it says nothing about how many applications are written in PHP."

So name me some widely-deployed web-apps written in Java that might come under the scrutiny of black-hats and white-hats, particularly as a means to root a server.

Then ... drumroll ... go here:

http://sourceforge.net/search/?q=cms

Down the page a bit, on the left. Broken down by language. Apology accepted in 5 ...

"Something I believe happened to FaceBook back in it's early days (or was it Digg?)"

Who knows. Your vauge memories of something are sure to be the basis of a good argument though. Right?

"after hackers found an exploit, got the Web server to send back the raw PHP code, and then posted it for the world to see?"

The plural of anecdote is not data. The most verbose error messages I see on the web these days are from Java stacks that have fallen over. That's bad config, not bad Java. To pretend it's the latter based on a few isolated experiences would be bad argument.

"And something, I might add, would not have been possible in a language like Java because your code is not stored in a Web accessible directory."

Neither is my PHP. I suppose it could be. But so could a perl or python script or ... drumroll ... a jsp file. What you really mean is "My Java is teh bestzors". Even you know how retarded that is, or you'd un-AC.

"As far as 'executable code injection attacks'"

I still don't know what you mean by that. If the code can't be executed ...

"I don't mean XSS attacks (which obviously are a problem in any Web technology) ..."

... and an example of code injection.

"I mean things like remote file inclusion"

Then you should have said remote file inclusion. I'd have given you that. Although, again, config. And since 5.2 ... okay , I wouldn't have given you that.

"or executing shell commands on the remote server"

Classic way to own a windows box. Via SQL injection no less. I believe Java still has Runtime.getRuntime.exec(badData) ...

"or PHP code that gets executed through the use of eval"

Oh. So PHP is the only language that has eval?

"Of course, the PHP team instantly demonized him and said the reason he actually left is because he couldn't get along with the rest of the team"

Were you there? Games of "he said, she said" are not the basis for rational argument.

0
0
Anonymous Coward

re: John Dee

"Citation needed."

I gave you a citation. NIST (National Institute of Standards) statistics.

"So name me some widely-deployed web-apps written in Java that might come under the scrutiny of black-hats and white-hats, particularly as a means to root a server"

Well, for comparison purposes: PHP 5.3, according to Secunia, has had 91 vulnerabilities since it was released. Apache Tomcat 6, which is the Java servlet container that powers eBay, the vast majority of online banking sites (it's the servlet container that most J2EE servers are built on), and a substantial amount online trading sites, has had 32 vulnerabilities.

Apache Roller, which is the most popular Java blogging software (and is run by some huge blogging sites), has had exactly ONE security vulnerability. Wordpress has had over 90.

Those are a few examples.

"The plural of anecdote is not data. The most verbose error messages I see on the web these days are from Java stacks that have fallen over. That's bad config,"

That's now how things are configured out of the box with the vast majority of Java Web frameworks. Most will just send back a 500 error. You have to specifically enable debugging behavior to get stack traces dumped to the Web browser.

"Neither is my PHP. I suppose it could be. But so could a perl or python script or ... drumroll ... a jsp file."

A: Most Java Web frameworks don't store the JSPs in a Web accessible directory. Again, front controller design pattern. You cannot directly request a JSP in most Java frameworks. You have to go through the front controller, and the actual JSP files are stored in a directory that is not accessible to the Web. So even if someone were able to crash your servlet container and request unprocessed files directly from Apache, they would not be able to request any JSP files.

B: If you have any business logic in your JSP files, you are doing it wrong.

Again, I hope most PHP developers have moved beyond splattering business logic in their Web pages, and jumping in and out of PHP. And I hope most have adopted best practices such as the front controller design pattern, which not only makes code more maintainable, but greatly improves it's security. If you are one of them who structures your PHP apps using MVC design patterns, and you have adopted the front controller design, then that's great.

"Classic way to own a windows box. Via SQL injection no less. I believe Java still has Runtime.getRuntime.exec(badData) ..."

Yes, Java does allow you to do that. But in nine years of Java Web development, I have never found a good reason to use it. But eval seems to be fairly common in PHP. I won't pretend to know why so many PHP developers use it. Aside from the security concerns, it should also be avoided for performance reasons of course.

Please note that I am not claiming that PHP, in and of itself, is full of security holes. I believe it is possible to write secure applications in PHP. But I believe PHP makes it much more difficult than most other Web technologies do.

But the fact remains, would I write a mission critical application in PHP? No. I would not. I've written a few small applications in PHP in the past. But I would not write anything mission critical in it.

0
0
Anonymous Coward

Bored now.

"I gave you a citation. NIST (National Institute of Standards) statistics."

That's not a citation.

"Well, for comparison purposes [... ]"

Apples and Oranges. Try again.

"Apache Roller, which is the most popular Java blogging software (and is run by some huge blogging sites), has had exactly ONE security vulnerability. Wordpress has had over 90."

Citation needed. I need one for your "most popular" claim as well. Seems to me like you just cherry-picked. By the way:

http://en.wikipedia.org/wiki/Blogging_software#Software_used_for_top_20_blogs

"A: Most Java Web frameworks don't store the JSPs"

But you can. So we're back to the problem being the developer not the language.

"So even if someone were able to crash your servlet container and request unprocessed files directly from Apache, they would not be able to request any JSP files."

Ditto for any fucking script outside the webroot. Java Masturbation Fail.

"And I hope most have adopted best practices such as the front controller design pattern,"

Ever worked on really small sites? The antique shop round the corner wants an about page and a contact form. For a couple of hundred quid. Most of the web ... isn't banking apps.

"Again, I hope most PHP developers have moved beyond splattering business logic in their Web pages "

So we're back to you vaguely remembering things and having vague impressions of things, and that somehow being the basis for an argument.

"Yes, Java does allow you to do that. But in nine years of Java Web development, I have never found a good reason to use it."

You've had no recourse to external programs? In 9 years of dev? Doesn't sound very ... unixy ...

"But eval seems to be fairly common in PHP."

Seems. T'isn't.

"I won't pretend to know why so many PHP developers use it."

And I won't pretend to have seen any using it in any of the third party code I've used.

"But the fact remains, would I write a mission critical application in PHP? No. I would not."

Don't worry. Most non-Java devs say that about Java.

"But it is not *that* popular that it can explain such a huge discrepancy."

So you're just going to ignore the rejoinder that considerably more than 45% of CMSes are written in PHP. Now that you've shown commitment to this argument, understand that I'm going to stop here and keep pressing this button until you admit that PHP is MORE secure than Java. Sure the model is naive. But it's your model.

0
0

re:

"That's not a citation."

Yes, it is. Unfortunately, I have no way to get the printed report to you.

"Apples and Oranges. Try again."

No, it's not Apple's and oranges. PHP is the underlying technology that allows you to execute PHP code in a Web server. The servlet container is the closest thing there is to a Java equivalent. So comparing Tomcat with PHP is a valid comparison.

"Citation needed. I need one for your "most popular" claim as well."

Roller is the blog server that powers JRoller, and also the server that powers Sun (now Oracle's blogs). It also powers all of IBM's blogs. And I didn't cherry pick. I picked the most popular Java blogging package and compared it with the most popular PHP blogging package.

But I'll humor you by picking a different once. One that's in your Wikipedia article. How about Movable Type? (which is written in Perl). It's had 31 security vulnerabilities, again, compared more than 90 for Wordpress. And again, these statistics come from Secunia's vulnerability database. Which I believe I already told you. So don't ask for a citation again.

"Ever worked on really small sites? The antique shop round the corner wants an about page and a contact form"

If you've only got an email contact form, that's one thing. But if you have more then a couple of dynamic pages, seriously, how much time does it take to write a front controller? Not that long. And it's worth the extra investment for added security and maintainability.

"So we're back to you vaguely remembering things and having vague impressions of things,"

Vaguely remembering things? No, not at all. The fact that is how many older PHP applications were written. Unfortunately, it's how many newer ones are written as well. Business logic is mixed in with presentation, and there is no single entry point to the application.

"You've had no recourse to external programs? In 9 years of dev? Doesn't sound very ... unixy .."

The number of libraries available for Java make it pretty much unnecessary to have to invoke external programs to accomplish anything. There are plenty of reasons to avoid this, even if it is not very "unixy". It breaks cross-platform portability, it's very inefficient, and it can cause security issues.

"And I won't pretend to have seen any using it in any of the third party code I've used"

After you just got done saying it's not very "unixy" not to do things this way?

"Don't worry. Most non-Java devs say that about Java."

Well, they can say that all they want. But the industry has pretty much spoken and fallen into two camps: Java, and .NET. People simply aren't writing banking software, brokerage software, another other such sites where information security is of critical importance in PHP. And according to the TIOBE index, PHP is, in fact, losing popularity, while Java and .NET remain firmly entrenched.

0
0

This post has been deleted by a moderator

Anonymous Coward

Why?

Your argument was that PHP is not popular enough to account for the number of vulnerabilities in the statistic you have no citation for. By a naive yardstick (ie. projects on sourceforge), PHP is a lot more popular than you imagined, has considerbaly more web apps written in it, and clearly has fewer vulnerabilites per app than Java. Don't like that? It was your model.

0
0

re: Why?

I'm still not sure how you are coming to that conclusion. and besides, Java is actually the most popular language on SourceForge, followed by C++, followed by C, and then PHP coming in forth. At least as of 2006. Unfortunately, SourceForge no longer publishes language statistics. For the sake of throwing some numbers out, 24,853 projects on SourceForge mention Java. Compared to 19,050 that mention PHP. Of course, not all of those Java projects are Web apps or Web libraries.

But since you are throwing naive numbers around. Here's one for you (admittedly naive)

There are 10,119 security vulnerabilities in Secunia's advisory database that mention PHP.

There are only 1,003 that mention Java.

So lets see... There are more Java projects on SourceForge than PHP projects. And yet PHP applications have 9x as many security vulnerability according to Secunia's vulnerability database.

So clearly, PHP has significantly more vulnerabilities per app than Java does.

0
0
Anonymous Coward

Because.

"Java is actually the most popular language on SourceForge, followed by C++, followed by C, and then PHP coming in forth. At least as of 2006."

You love Java. We get it. What has popularity to do with anything? Britney is better than Beethoven, is it? Besides, you're arguing Java's popularity with ... no-one.

"For the sake of throwing some numbers out, 24,853 projects on SourceForge mention Java. Compared to 19,050 that mention PHP."

"Mention". Think we can both see the hole in that one. But taking these as our baseline. Should we look at the percentages of these apps that make it off the drawing board? Should we look at the value of vulnerabilities in those apps to white or black hats? Can't see anyone bothering with "Sweet Home 3D" ...

"Of course, not all of those Java projects are Web apps or Web libraries."

No. Look at web-apps. PHP is considerbaly more popular. Note. I don't care how popular PHP is. I only care about its popularity in the context of your claim that it isn't popular enough to account for having a higher share of vulnerabilities.

"There are 10,119 security vulnerabilities in Secunia's advisory database that mention PHP.

There are only 1,003 that mention Java."

And quite a few of those appear to be vulnerabilites in Java itself. For PHP, it's the apps that are the main problem. Apples and oranges again. And of course, since both list "multiple vulnerabilities" the data is even more useless. So how about you back up your initial claim with some actual data, and without recourse to "a piece of paper I have", as that does not constitute a citation.

"PHP applications have 9x as many security vulnerability according to Secunia's vulnerability database."

Apps. So you're back to relying on devs being the cause of vulns, not the language. Although, like I said, the vast majority of those 1003 vulns aren't web-app vulns.

Even if we take your data to mean what you think it means, by looking at a popular type of web-app on sourceforge, the CMS, we can see that there are ~10x as many written in PHP than in Java. If PHP apps have 9x more vulns, then ... well you do the math.

0
0

re: Because

"What has popularity to do with anything? Britney is better than Beethoven, is it? Besides, you're arguing Java's popularity with ... no-one."

You're the one that brought SourceForge numbers into it. I was simply pointed out that your assumptions about PHP vs. Java popularity on SourceForge might be wrong. And that Java is far more popular in the open source world than you seem to think it is.

" Should we look at the percentages of these apps that make it off the drawing board?"

I'd be willing to bet there are just as many abandoned PHP projects on SourceForge as there are abandoned Java projects. And that the blackhats aren't going to bother with some little known PHP CMS that is at #19,000 on the Sourceforge list, and that one person on some site that gets know traffic actually uses.

Obviously, those statistics would be very time consuming to gather, and I doubt you or I have the time to spend on it (the % of abandoned Java projects vs. the % of abandoned PHP projects).

"So you're back to relying on devs being the cause of vulns, not the language."

Again, keep in mind that I never said it was impossible to write secure apps in PHP. What I said, was that it seems PHP makes it more difficult than many other languages do, and that even experienced PHP developers seem to have a very hard time securing their PHP apps.

0
0

re:

And BTW, if the antique site around the corner just wants a contact page. Why would even mess around with PHP? I'd just use a CGI script. Sure it's inefficient. but it's quick and easy to do, and I doubt the inefficiency is going to be an issue for the 20 or so visitors they to their site every day, and the 2 or 3 that actually use the form.

0
0
Anonymous Coward

Seriously?

You created a new account just for this?

"And BTW, if the antique site around the corner just wants a contact page. Why would even mess around with PHP?"

So what projects _did_ you use PHP on?

"I'd just use a CGI script."

A CGI script that mixes markup and logic. So you've just argued against yourself again.

"Sure it's inefficient."

Said the Java dev.

0
0

re: Seriously

"You created a new account just for this?"

No. I had an account before. But I haven't used it in a long time and forgot what it is. I don't frequent this site very often.

"So what projects _did_ you use PHP on?"

A couple of searchable article databases several years ago for uploading, storing, and indexing Word and PDF documents and making them searchable. Also, an image recognition project. Although much of that code was written in C for performance reasons. A few other smaller projects too.

"A CGI script that mixes markup and logic. So you've just argued against yourself again."

I haven't argued against myself. I'm simply being reasonable. If it's one page, that has a "Your name:", "Your email address:", "Your phone number:", "Your comments:" fields, and all it does is generate an email that goes to the antique store owners, than yeah, it makes no sense to do an MVC design. After all, you aren't even hitting a database here. But I'm assuming full blown Web applications here with AJAX, database access, authentication, a lot of dynamic content.

"Said the Java dev."

I'm not sure what that is supposed to mean. Surely you aren't trying to claim that PHP outperforms Java?. You know as well as I do that from a performance standpoint, Java runs circles around PHP. In fact, there is a PHP implementation written in Java (Quercus) and designed to run in Java servlet containers which is around 4x faster than native php. (Benchmark done by comparing real apps and usage. MediaWiki and Drupal being run under Quercus vs. native PHP).

So please, dont't, even try to start with the tired old "Java is inefficient" arguments.

0
0
Anonymous Coward

No.

"No. I had an account before."

Account created on Thursday 24th March 2011 15:50 GMT, but you've been arguing since the 22nd.

0
0

re: No

I actually created the account on the 22nd. You can't post here without being logged in. Even if you check the "Post anonymously" box you still have to be logged in to post. I don't know why it says this account was created on the 24th. it was created on the 22nd. The 24th is just the first time i posted without checking the "Post anonymously" box.

0
0
Anonymous Coward

Re: re: re

"I haven't argued against myself. I'm simply being reasonable. "

And making a case for mixing up logic and markup, counter to your earlier remark.

"I'm assuming full blown Web applications here"

You lot usually do, in complete ignorance of how projects grow.

" Java runs circles around PHP"

Compiled faster than interpreted. Who'd'a thunk it.

0
0

re: re

"You lot usually do, in complete ignorance of how projects grow."

Huh? We build them that way in anticipation of growth. How is that ignorance? I'd say it's the vast majority of PHP developers that seem to have a much bigger problem with being completely ignorant about how projects grow. That's why there is so much unmaintainable PHP code out there. How many PHP developers have actually read the Gang of Four book for example. How many have even heard of it? (Hint: The quintessential work on software design patterns. Actual title: "Design Patterns: Elements of Reusable Object-Oriented Software" if you are interested in checking it out).

0
0
Anonymous Coward

Blah, blah, gang of four, yes we know.

"[If] it does is generate an email that goes to the antique store owners, than yeah, it makes no sense to do an MVC design."

And then

"Huh? We build them that way in anticipation of growth."

So which is it?

You've heard of the long tail, right? Most sites out there couldn't run on Java because it doesn't scale down. Java has its place like everything else. Get over it. You know, for someone who doesn't "frequent this site very often" post you've been awfully persistent on this one issue, and with little evidence. I suspect you are being disingenuous.

"And that Java is far more popular in the open source world than you seem to think it is."

I don't thimnk Java is unpopular in any damn world. Stop being so obtuse. You started this entire pointlessness by doubting that PHP is as massively popular on the web as it undoubtedly is. That's its niche. That's why organisations like OWASP - who can put together much more coherent arguments against it than you - use it on their web sites, rather than spending their resources on Java or .NET

0
0

re: blah blah

"So which is it?"

Rule of thumb: Go ahead and skip the whole MVC design thing if you are willing, in the future, to throw away all of the code you are writing now if the site grows So yes, for something as simple as an email contact form? If the site grows in the future, I'm willing to throw that code away and rewrite it later because it probably only took 30 minutes to write in the first place.

"Most sites out there couldn't run on Java because it doesn't scale down."

A lot of sites can't run on Java because a lot of cheap shared hosting services don't support Java. Admittedly, the lack of a multi-tasking virtual machine has been an issue when it comes to shared hosting. Each Tomcat (or whatever app server you are running) instance has required its own VM. However, the advent of Xen has negated the problem to a large extent, because small shops now have the option of getting a VPS instead of shelling out for a full dedicated server. And of course, Google App Engine supports Java now as well, which opens up a lot of possibilities.

"You started this entire pointlessness by doubting that PHP is as massively popular on the web as it undoubtedly is."

I didn't say it wasn't massively popular. I said it is not popular enough to explain such a huge discrepancy.

"I suspect you are being disingenuous"

I'm not being disingenuous at all.

And if I am being persistent and disingenuous, what are you doing? You even managed to hit far enough below the belt to get one of your posts deleted by the moderators because of personal attacks and obscene language.

0
0
Anonymous Coward

Re blah blah blah blah, re blah blah blah

"A lot of sites can't run on Java because a lot of cheap shared hosting services don't support Java. "

Oh. It's someone else's fault. Silly me. Why is it they don't support Java again?

"Admittedly, the lack of a multi-tasking virtual machine has been an issue when it comes to shared hosting. Each Tomcat (or whatever app server you are running) instance has required its own VM.

What was I saying about bloat?

"However, the advent of Xen has negated the problem to a large extent, because small shops now have the option of getting a VPS instead of shelling out for a full dedicated server. "

How has that negated anything?

"And of course, Google App Engine supports Java now as well, which opens up a lot of possibilities."

Yes. If you want to pay £500 a day for a Java dev. Most people ... don't want to. Don't be hating on the scripters. You've priced yourself out of a lot of jobs.

"I didn't say it wasn't massively popular. I said it is not popular enough to explain such a huge discrepancy."

You still haven't provided any data for that claim. Just referred to a piece of paper. And no, that still isn't a citation. I have tried to throw some (publicly available) data into the debate by looking at the number of web applications available for download. We could have discussed the methodology of that argument. But, sensing it wasn't going to be so easy to mindlessly troll PHP as you had initially hoped, you rather gave up. Should I mention lizamoon at this point?

"And if I am being persistent and disingenuous, what are you doing?"

Being someone with a lot of posts on other subjects. And being someone who doesn't like mindless language trolling.

"You even managed to hit far enough below the belt to get one of your posts deleted by the moderators because of "

Yeah. Just as I was about to exit the argument. Having my comment deleted after initially being accepted spurred me on some. But, thanks for the info.

"personal attacks and obscene language."

El Commentardery is full of it. Best not to cry about it too much.

0
0
This topic is closed for new posts.