[TAG] "Lupper Worm" and the patching of bad software
rick at linuxmafia.com
Thu Nov 10 22:37:02 MSK 2005
Quoting Jason Creighton (jcreigh at gmail.com):
> I feel that one should be wary of PHP as well.
Oh yes. It's not that the language is inherently bad, but many of its
practitioners fell into very bad habits, early on, including the
developers of major, almost-turnkey applications -- and some of those
habits are actually still embedded into typical PHP setup defaults.
I write just a bit about this in "PHP" on http://linuxmafia.com/kb/Security/ .
People running PHP in their Web servers should run, not walk, to
double-check /etc/php4/apache/php.ini (or similar location), if they
have not, already. Typically, the default php.ini is explicitly
intended solely for development-environment use, and contains many
settings that are outright dangerous when exposed to public networks.
I found that out and corrected it before it bit me, but many other
people have not been so lucky.
Also, a depressingly large number of developed PHP applications break if
you tighten down those dangerous default settings. Which is sufficient
comment on their quality, right there.
More information about the TAG