mike wrote:
On 8/22/07, Chris <dmagick@xxxxxxxxx> wrote:
That's a completely wrong assumption. PhpBB has had a lot of
vulnerabilities in the past, as has php-nuke and other popular packages.
They've been around for years and not written by newbie's as far as I
know - but I don't have any link to either package I just mentioned.
both of those packages are spaghetti code. they started from something
small and grew. combine adding features on top + development teams of
different skills, backgrounds and language barriers and you typically
get a very diverse codebase. when code isn't as tight, it opens itself
up for having inconsistent methods of doing things - perhaps someone
wrote an XSS-safe feature, but someone else didn't reuse that portion
or reused it incorrectly.
i think that's pretty common sense. i coded my own forum from scratch,
and while not as feature-rich as phpbb, nothing in it can be exploited
like that. each feature i add on top of it is also that tight. but i
am a single developer, i know everything i have done. adding other
people i would expect that it would not be as tight. it is the problem
with all projects.
I agree with all you've said - but saying that a hardened-php type
project should only be installed for a 'newbie' installation is just wrong.
You can't possibly audit every single line of code that is going to be
run on your server.
The two packages I mentioned are very popular and are run all over the
place - if I'm running the server that one of these packages are
installed on, then I'm of course going to do all I can to make sure it's
secure as possible.
I'm agreeing with the ideas behind Grasp & Suhosin - I'm just
disagreeing with Daevid's comment about them only being for 'newbie'
installations.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
