in reply to Combining PHP and Perl

If you like PHP, use it at your own risk. Check out the following security alert. Here's a bit of text from the alert:
The way that PHP handles file uploads makes it simple to trick PHP applications into working on arbitrary files local to the server rather than files uploaded by the user. This will generally lead to a remote attacker being able to read any file on the server that can be read by the user the web server is running as, typically 'nobody'.
According to the alert, they don't know of any way to really fix this problem, short of a new version of PHP being rolled out.

Cheers,
Ovid

Update: First, thanks for pointing out how to protect against this vulnerability. I'm not trying to say that PHP is evil, just that there is a known issue with it (and I'm not claiming that there aren't issues with Perl).

Next, I can see people voting me down for making a rude post, but why vote me down for letting people know about security issues? I would presume that people would prefer to know about these things. If there is a fix, people won't bother to apply it if they don't know what about the original vulnerability is.

I will confess that I didn't follow the links, but in seeing them, I see bad security advice in one: check to verify that the file sizes are the same and reject them if they aren't. Fine, so all I need to do is keep sending files in increments of one byte until I get a hit. That's pretty simple to crack.

The other one -- verifying the filename -- is obvious and I wouldn't have realized it since I don't know PHP. However, I still let my original post stand. There is a security issue and "according to the alert", the author didn't know how to fix it. I still feel it's important to raise issues like this because people should be aware of them.

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.

  • Comment on (Ovid - PHP danger) RE: Combining PHP and Perl

Replies are listed 'Best First'.
RE: (Ovid - PHP danger) RE: Combining PHP and Perl
by arturo (Vicar) on Oct 07, 2000 at 04:05 UTC

    Darn, I hate playing PHP apologist all the time. That securityfocus page has been up for some time, and there is an easy fix *in PHP* for it. It's called "checking the filename before you use it." Sure, it's a bit of a pain but it will have a more permanent fix soon. The PHP manual says this (now). If you follow the thread on securityfocus that Ovid posted, you can see how the PHP team responded.

    Back to the question at hand: PHP lacks a few features that I find handy in Perl, but of course the lack will only bother you if you use these features. I am otherwise a staunch advocate of the "use what works," so if you find that PHP works for you, use it. Just don't come cryin' here when it doesn't work for you =)

    • no 'use strict;' equivalent in PHP -- this would help with debugging, at the very least.
    • no complex data structures in PHP, AFAIK
    • PHP can use Perl-compatible regexes, but I find the implementation counterintuitive.
    • while it has great DB support, PHP lacks 'placeholders' for database inserts; this makes security here a little more painful, and also potentially slower.

    But PHP is still young, so this may all change.

    Philosophy can be made out of anything -- or less

[reply]
RE: (Ovid - PHP danger) RE: Combining PHP and Perl
by Malach (Scribe) on Oct 16, 2000 at 01:22 UTC

    Just a comment.... your initial posting (pre-update) started with a generally negative statement, *then* qualified that, by going into detail.

    "Use it at your own risk" is true of any language/system/whatever.... including php and perl, but in this instance, I think overstates the problem.

[reply]

In Section Meditations