Darren Reed said: > From my own mail archives, PHP appears to make up at least 4% of the > email to bugtraq I see - or over 1000 issues since 1995, out of the > 25,000 I have saved. Do you mean the PHP interpreter? Or applications written in PHP? I'm not sure how many vulnerabilities were in the PHP interpreter itself, but it looks like it's about 150 or so. Applications that are WRITTEN in PHP, however, probably cover 20% or more of all reported vulns this year. This is just a hunch - I don't have any way of proving this. Most PHP apps don't have "php" in their name, and I don't know of a vulnerability database that records which programming language was used for an application. But the rest of your email matches on "php" were probably PHP applications. >People complain about applications like sendmail...in the same period, >it has been resopnsible for less than 200. It's more appropriate to compare the PHP language to the C language, or to compare Sendmail to various high-profile PHP applications. >Do we have a new contender for worst security offender ever written Over the years, the PHP language has made it very easy for inexperienced application programmers to shoot themselves in the foot, and it has features that even experienced programmers might not know to defend against. Sounds kinda like C, doesn't it? One thing with PHP though, you don't need much training before you can put together a usable program. Powerful features plus lots of non-expert programmers equals a lot of vulnerabilities, regardless of the language. PHP is slowly removing the most dangerous features, or at least not enabling them by default. I suspect that a large percentage of vulnerabilities could be fixed with programming languages with built-in security considerations, and an API that makes it easy or transparent to do safer programming. - Steve ======================================================================= Disclaimer: this document was publicly posted to foster timely technical exchange. It may contain errors or omissions. The views and opinions being expressed are those of Steve Christey and do not necessarily reflect the views of The MITRE Corporation. Members of the press are requested to contact me directly before quoting any statements in this document.
