[TAG] "Lupper Worm" and the patching of bad software
Jimmy O'Regan
jimregan at o2.ie
Thu Nov 10 22:45:20 MSK 2005
Jason Creighton wrote:
> On Wed, Nov 09, 2005 at 11:57:15AM -0800, Rick Moen wrote:
>
>>I'm also slowly developing an (at least partial) allergy to Perl CGI
>>scripts exposed to hostile networks, since it seems that few authors
>>bother doing meaningful input validation. The security history of
>>AWstats is instructive: The authors keep releasing patches to fix "new"
>>vulnerabilities, but none of those patches has ever addressed the root
>>problem of bad design. Therefore, the patches are ultimately
>>ineffective. As the computer said in "War Games", the only way to win
>>is not to play.
>
>
> I feel that one should be wary of PHP as well. It just blows my mind how
> much code out there looks like:
I think Rick was singling out Perl here because there are so many people
who learned CGI programming in the pre-CPAN dark ages who are under the
mistaken impression that it's better to do everything their script needs
themselves, rather than to use a widely used and well tested module.
I wouldn't take it as tacit approval of PHP (you've pointed out why
not), or any other language/methodology/etc. -- I'm sure that in time,
when those "3 hour Ruby on Rails[1] applications" have had enough months
of hacking that they do something useful, we'll see a new set of idiotic
input validation practices, but it is at least a positive step: the
database is accessed through a "convenient" layer that's maintained by
people who (hopefully) have a better idea of what they're doing, just as
PHP (and Perl's CGI module) abstracted HTTP GET and POST.
[1] Not to single Ruby, or Rails, out: insert TurboGears, Catalyst, etc.
as applicable.
More information about the TAG
mailing list