[OWASP-GUIDE] So is this list dead or what? :)

Chris Shiflett chris at shiflett.org
Sun Jan 23 22:27:19 EST 2005


Apologies for the delay in posting my comments. I've been too busy to
review this until now.

--- Andrew van der Stock <vanderaj at greebo.net> wrote:
> Here's a tidbit I've been working on. 
>
> http://www.greebo.net/owasp/php.zip
> 
> Suggestions welcome.

After a thorough review, my first suggestion is to sustain from speaking
authoritatively about security practices in PHP until you are more
comfortable with the language. This paper appears to be more of a rant
against PHP than a sincere effort to promote security in PHP applications.
I don't think this is the right approach for any OWASP documentation. Our
purpose is not to attempt to promote our favorite languages but rather to
promote secure web application development. You're welcome to disagree.

There is too much misinformation for me to recommend this document to
anyone. For example:

1."I deliberately target features of PHP 5.0 as earlier versions are
impossible to secure without excessive workarounds."

This is too subjective and very misleading. It is not difficult to achieve
a high level of security in PHP 4 or 5.

2. "The entire idea of creating variables from hostile input without first
untainting them is insane."

Data, both tainted and untainted, is usually made available to the
developer in a variable. This is not a unique feature of PHP, otherwise it
would be impossible (or very cumbersome, depending upon how access to this
data is granted) to develop web applications in other languages. External
data should be considered tainted until proven otherwise.

I always recommend that register_globals be disabled, but it has nothing
to do with PHP creating variables. It is because of the increase in risk.
There is a very distinct and importance difference between a risk and a
vulnerability.

Also, you contradict this recommendation in your stance against
magic_quotes_gpc. This is a directive created to reduce the risk of SQL
injection. As you correctly note, it is inadequate protection, but it
still reduces the risk.

I also recommend that developers disable magic_quotes_gpc but for a
different reason (two reasons) - there are more reliable escaping
functions for most popular databases (mysql_escape_string(), for example),
and escaping data for one particular purpose increases the complexity when
you use the data for another purpose (complexity increases risk).

3. "PHP is simply pathetic at data validation."

This claim is never supported. In being consistent with the OWASP Guide,
data validation requires work on the part of the developer. PHP is no
exception.

4. "Shawn Clowes, A study in Scarlet"

This is a poor resource to reference. I do not fault you for it, because
it is a famous document. However, it was filled with misinformation years
ago, and what little of it was accurate is now outdated and no longer
accurate.

I hope that helps.

Chris




More information about the Owasp-guide mailing list