43 Percent of Vulnerabilities in 2006 Were php subject logo: UNIX
Posted by: badanov

Via The Register comes the incredible news that 43 percent of all vulnerabilities reported in 2006 were connected to the web programming language php.

php is a web-based programming language which embeds perl-looking code into web pages so that dynamic web content can be served.

php's advantage over such panguages as Java and perl is its simplicity. A user with a small grounding in programming can code in php. php is an mature, albeit not advanced, langauge having been in existance since the mid-1990s, and accounting for, according to the linked article, 1.3 million websites worldwide.

php has an incredible number of both integral and add on modules for interacting with third party software suich as databases, with straight forward instructions and caveats allowing relatively new web programmers to hammer out a dynamic web site in very little time.

This blog in its entirety is coded in perl, not php, primarily because of its relatve secure nature. Without really understanding why php accounts for so many probleams, we suspect that scope, where a script constricts variables to only the local environment, is a likely culprit. Scope is critical in perl. We must identify everything as local in nature or some attackers can overtake a script and run it for their own purposes. A little error in the script, and voila, they own your server.

The article goes on to describe that 23 percent of vulnerabilities reported in 2006 were database attacks, where an attacker can inject sql code into a webform or a url, crash the database server long enough to gain access.

This is an odious form of attack, and so much of a concern for us, we were forced to change the database address to bolster its local security. Database security is the primary reason we prefer postgreSQL, the database backend which serves this site, over MySQL is because of security and licensing problems.

If this story sounds like a public relations ad, congratulations, you are correct.

So, secure those php applications, and remember the top three computer security measures: backups, physical security and backups.

If you have something to add, Fire Away!

Number of Comments so far: 0

Click here for a list of stories in the Unix and Computer category