U biti mi se nije dalo tipkat, eto u čemu je frx bio :)
Kao što mi se ne da ni tipkat odgovor Apatridu o NGSCB :)
Ali kad već inzistiraš...
Evo redom
PHP sux:
1. -
Ranjivost jezika PHP
Citat iz knjige
Programmer's Ultimate Security DeskRef - izašla prije pola godine, dakle novo štivo, sadrži pregled nesigurnih funkcija i osobina pojedinih jezika, idealan overview za traženje ranjivosti.
Za PHP su navedeni sljedeći:
basename
bzopen
bzread
chmod
chown
chroot
dirname
eval
exec
fgets
fgetss
file
filegroup
fileowner
fileperms
fopen
fread
fscanf
fsockopen
getallheaders
getenv
gzfile
gzgetc
gzgets
gzgetss
gzopen
gzread
Highlight_file
is_dir
is_executable
is_file
is_link
is_readable
is_writable
is_writeable
leak
link
lstat
mkdir
opendir
passthru
pfsockopen
popen
posix_getlogin
posix_mkinfo
posix_ttyname
readfile
rename
rmdir
show_source
stat
symlink
system
unlink
Prilično impresivna lista...say no? :)
Nadalje, ASP.NET se u ovoj knjizi
uopće ne spominje, a od managed jezika spominje se C# i to sljedeći API-ji: GetTempPathA, ImpersonateDdeClientWindow, lstrcpyn, OemToAnsiBuff, OemToCharBuffW, koje su u biti čisti win32 API i uopće nisu dio jezika ili ECMA C#/CLI standarda. Ono što je autor zaboravio napomenuti jest da čak i kad se koriste, nad P/Inovoke-anim fjama djeluje Stack Walk mehanziam koji enforsira .NET sigurnosne polise, tako da nema nikakve opasnosti!
Za razliku od PHP-a gdje su ono gore sve ugrađene fje u jezik.
2. -
Broj bugova u frameworku
Morat ćete ručno...
http://www.securityfocus.com/bid/vendor/
Brojimo bugove otkad je ASP.NET izašao službeno
Citat:
ASP.NET:
2004-05-06: Microsoft ASP.NET Malformed HTTP Request Information Disclosure Vulnerability
2005-02-08: Microsoft ASP.NET URI Canonicalization Unauthorized Web Access Vulnerability
2005-02-16: Microsoft ASP.NET Unicode Character Conversion Multiple Cross-Site Scripting Vulnerabilities
2004-03-08: Multiple Vendor HTTP Response Splitting Vulnerability
2003-11-14: Microsoft ASP.NET Request Validation Null Byte Filter Bypass Vulnerability
vs.
Citat:
PHP:
2005-05-31: PHP cURL Open_Basedir Restriction Bypass Vulnerability
2005-05-31: PHP Group Exif Module IFD Nesting Denial Of Service Vulnerability
2005-05-31: PHP Group Exif Module IFD Tag Integer Overflow Vulnerability
2005-05-31: PHP Multiple Local And Remote Vulnerabilities
2005-05-31: PHP Group PHP Image File Format Remote Denial Of Service Vulnerability
2005-05-31: PHP Group PHP Multiple Unspecified Vulnerabilities
2005-05-26: PHP Group PHP Remote JPEG File Format Remote Denial Of Service Vulnerability
2005-04-06: PHP Strip_Tags() Function Bypass Vulnerability
2005-03-07: PHP JPEG Image Buffer Overflow Vulnerability
2005-03-07: PHP Remote Arbitrary Location File Upload Vulnerability
2005-03-07: PHP PHP_Variables Remote Memory Disclosure Vulnerability
2005-03-02: PHP Glob Function Local Information Disclosure Vulnerability
2005-02-25: PHP4 Readfile Denial Of Service Vulnerability
2005-02-16: PHP Undefined Safe_Mode_Include_Dir Safemode Bypass Vulnerability
2005-02-16: PHP4 Multiple Vulnerabilities
2005-02-16: PHP memory_limit Remote Code Execution Vulnerability
2005-02-16: PHP Shared Memory Module Offset Memory Corruption Vulnerability
2005-01-13: PHP Multiple Remote Vulnerabilities
2004-12-22: PHP openlog() Buffer Overflow Vulnerability
2004-06-07: PHP Microsoft Windows Shell Escape Functions Command Execution Vulnerability
2004-05-27: PHP Input/Ouput Wrapper Remote Include Function Command Execution Weakness
2003-11-07: PHP emalloc() Unspecified Integer Overflow Memory Corruption Vulnerability
2003-11-07: PHP wordwrap() Heap Corruption Vulnerability
2003-09-24: PHP4 Base64_Encode() Integer Overflow Vulnerability
2003-08-25: PHP Transparent Session ID Cross Site Scripting Vulnerability
2003-08-13: PHP Mail Function ASCII Control Character Header Spoofing Vulnerability
2003-08-13: PHP Function CRLF Injection Vulnerability
2003-08-13: PHP DLOpen Memory Disclosure Vulnerability
2003-06-08: PHP STR_Repeat Boundary Condition Error Vulnerability
2003-06-08: PHP array_pad() Integer Overflow Memory Corruption Vulnerability
2003-06-04: PHP PHPInfo Cross-Site Scripting Vulnerability
2003-05-19: PHP Post File Upload Buffer Overflow Vulnerabilities
2003-05-07: PHP SafeMode Arbitrary File Execution Vulnerability
2003-04-14: PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability
2003-03-26: PHP socket_recvfrom() Signed Integer Memory Corruption Vulnerability
2003-03-26: PHP socket_recv() Signed Integer Memory Corruption Vulnerability
2003-03-25: PHP socket_iovec_alloc() Integer Overflow Vulnerability
2003-02-19: PHP CGI SAPI Code Execution Vulnerability
2003-01-08: PHP 4.0.3 IMAP Module Buffer Overflow Vulnerability
2002-09-07: PHP Header Function Script Injection Vulnerability
2002-08-08: PHP HTTP POST Incorrect MIME Header Parsing Vulnerability
2002-07-22: PHP Interpreter Direct Invocation Denial Of Service Vulnerability
2002-04-25: PHP posix_getpwnam / posix_getpwuid safe_mode Circumvention Vulnerability
2002-03-21: PHP Move_Uploaded_File Open_Basedir Circumvention Vulnerability
Zaključak izvedite sami....
3. -
Broj sigurnosnih bugova u aplikacijama
http://www.frsirt.com/exploits/ -> unazad godinu dana, za aplikacije vezane za PHP: 16 komada
za ASP.NET: 0
Sl. odnos je i na drugim kolekcijamma javnih exploita koje kidiji koriste.
3. -
Broj malware-a za programe pod odredišnom platformom
PHP je podloga za novu generaciju web-based crva, koji ne postoje nigdje osim na PHP-u, prije svega Santy (koji je bio prvi phpbb crv) te njegove varijante:
Santy.A,
Santy.B etc...
Da vas podsjetim, Santy je u 3-4 sata se proširio na > od 30 000 ranjivih servera, te tako napravio najveći deface u povijesti.
Ubrzo nakon toga su počele izlaziti ovakve stvari:
http://www.frsirt.com/exploits/20041225.PhpIncludeWorm.php
Citat:
This worm does not have enough similarities with Santy, thus we renamed
this version to PhpInclude.Worm. It targets ANY .PHP page/script vulnerable to a remote file inclusion
(programming) flaw [these vulnerabilities are independent from the PHP version, they result from
common coding mistakes]
Danas svakih par dana izlaze varijacije na temu, koje automatizirano instaliraju botove koji se koriste za kontrolu zaraženih mašina preko IRC-a, obično za DoS napade i sl. Recimo ovaj incident sa bugtraqa otprije mjesec dana:
http://www.securityfocus.com/a...397328/2005-04-29/2005-05-05/1
Citat:
On the first machine, about two or three weeks ago, I discovered a shell
running a perl script out of /tmp which was a UDP DDoS zombie program.
As far as I could tell, it got in through PHP somewhere, but I couldn't
tell where for sure. It's possible it came in through a vulnerable
phpBB2 installation, but I can not say for sure.
Bugovi u PHP aplikacijamma su danas uobičajena pojava. Forumi poput phpbb su danas sinonim za ono što je prije 10 god bio sendmail -> rupa bez dna. Uostalom, i elitesecurity je bio difejsan preko ranjive PHP skripte, a održavaju ga ljudi koji odlično znaju svoj posao....
4. -
Skalabilnost platforme i mogućnosti
PHP tek od verzije 5 ima kakve-takve OO mogućnosti, a i ona nije tako puno u uporabi, koliko ja vidim većina servera vrte PHP 4, tako da je PHP za shit za bilo kakve ozbiljnije projekte.
Nadalje, da se nadovežem iz
ove svoje poruke:
Može li mi netko objasniti zašto se 99% PHP foruma/web aplikacija ne Internetu može DoS-ati sa skriptom od 20 linija koda i 2-3 ISDN linije?????
Ako zanemarimo katastrofalno loš dizajn i performanse, činjenicu da je PHP nositelj 99% security problema u web aplikacijama danas, činjenicu da je nositelj nove generacije weboidnih crva (koji prije nisu ni postojali), o "ozbiljnosti" te amaterske extenzije HTML-a koja je prve naznake objektno-orijentiranog dizajna dobila tek u 5. inačici (i koja se još uvijek ne upotrebljava ni približno kao v4), najbolje govori činjenica je tim od 4-5 ljudi koji nisu imali ama baš nikakvog prijašnjeg iskustva u pisanju kompajlera, portao većinu PHP-a pod .NET runtime:
http://channel9.msdn.com/ShowPost.aspx?PostID=48906
http://www.php-compiler.net/
Pazi ovo samo:
http://www.php-compiler.net/Benchmarks.htm#phpBB
Citat:
16 May 2005: Phalanger 1.0 Beta 3 makes phpBB 2.5-times faster than PHP and 1.7-times faster than PHP + Zend Optimizer!
Već su bez problema portani PhpMyAdmin, phpBB, PHP-Nuke, PHP-GTK... i ostali amaterski open-source projekti.
Još samo da iz PHP-a dodaju pozivanje CLR objekata, pa da revolucija može započeti :)
Na kraju samo da dodam da je ovo MS-ov amaterski research projekt, onako samo konceptualno...da junior developers oštre skillove..zamisli samo što bi bilo da rade VS gurui...da ubace PHP dizajner u VS GUI :o)
5. -
And now...the conclusion
PHP sux & u know it.