PHP as a secure language? PHP worms?

like i just wrote to bugtraq on this subject (it’s being discussed there now), indeed, the most annoying thing about the php worms today is that these php vulnerabilities being exploited are everywhere.

as i already mentioned, this recent linux worm has more to it, but that’s in another post.

these vulnerabilities being exploited are very difficult to protect from because:
1. php is the “serious” or at least open-source/linux/security freak’s choice for web development. mine as well (although as many still say, perl does a better job).

2. developing secure applications in php is difficult, as one of php’s creators said recently – even to him after years of trying.

3. staying on top of new php vulnerabilities has become almost impossible, popping around everywhere.

4. determining how secure a php application is, looking at the code and for how silly past vulnerabilities were (i.e. looking at the coder rather than the code) is now more important than the actual application.

much like their self criticism said, php needs to grow to a far more secure language, much like we need to chose more carefully what php software we use.

some of us have been joking for a while about creating a script to choose from different paragraph we create, and email bugtraq re-assembling the randomly with a new php bug and a random php application name every few hours. would any of us be able to readily tell the difference?

from all the fish we can barely see the water. :(

as to the worms, been going on longer than 2 mounths like the person i was replying to mentioned, but he is correct.

one note i’d like to make, is that even if the second (interesting) payload in the linux worm wasn’t there, just because someone utilizes old malware in the creation of new malware doesn’t mean it is new, or 99.9% of any “virus” ever written would be old.

does bagle.**** ring a bell with anyone? :)

if any of you are interested in sharing web server logs and be notified of new php problems we all notice online, drop me a note.

gadi evron,
ge@beyondsecurity.com.

Share
  • c

    hmm – after having collected some hosts’ error logs, it shows some tests to find php applications, but more searching for awstats and cvsweb. but it’s true, probes for phpbb, drupal, phpgroupware, mambo and pear/xml-rpc catch up very fast.