> That's a rather odd question. Microsoft has been (rightly) criticized > for providing server *applications* that are insecurely configured (as > you point out), but php is not an application. Php is a language, so > until a program or script is written and accessible from the server, it > does nothing. Php, by itself, is not accessible externally because it's > not running a daemon that opens a port. I don't agree. There are lots of web programs written in perl, asp, even cold fusion. But when I watch the security lists I see exploit after exploit for web applications and the vast majority of them have one thing in common, they are written in PHP. I'm not blaming PHP but you can't just ignore that and say it's meaningless, it's an obvious pattern and it points to a problem with either the language or the way it's configured or used. Whatever the reason, if we are going to have a secure internet environment then people need to be aware of the problem and solutions. All that I've been suggesting is that SANS points out this danger, make people aware that PHP based applications are being exploited at these levels and focus attention on the problem. Perhaps a table of popular PHP based applications and a count column of the number of exploits each has had to patch so folks can make an informed decision when looking for php based web apps. Geo.
