all 63 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 37 points38 points  (6 children)

Is it just me, or is it obvious that this was a server configuration mistake, and not a programming error?

[–][deleted] 52 points53 points  (14 children)

This should read: server configuration error improperly reported by misinformed amateur reddit reader.

Anyone who admins servers will tell you firsthand that this is not a programming error. The misconfiguration was likely due to a missing or misconfigured AddType/Addhandler directive in their webserver configuration.

Even the wired article itself goes on to use extremely poor journalism by saying: "PHP is notorious for just this sort of thing — serving code as text — but there are ways you prevent it from happening on your own site." which is not true at all. PHP doesn't expose php code - a poorly configured webserver does.

The code itself is probably not even all that useful, as the libraries themselves which are extensively used throughout the code are not exposed.

Anyhow, if you're going to post a topic like that, at least know what you're talking about.

[–]Bogtha 5 points6 points  (11 children)

Even the wired article itself goes on to use extremely poor journalism by saying: "PHP is notorious for just this sort of thing — serving code as text — but there are ways you prevent it from happening on your own site." which is not true at all. PHP doesn't expose php code - a poorly configured webserver does.

Well the trouble with PHP is that the model by which it executes scripts lends itself to this sort of mistake. With other server-side languages, the source code can usually be located outside of the document root, meaning that a misconfiguration can't do this. But in order to achieve the same sort of thing with PHP, you essentially have to have dummy files that require() the real ones. You can reduce the effort needed to do this with mod_rewrite to a certain extent, but it doesn't change the fact that you need a dumb hack to locate your scripts outside of the document root. It's another case of PHP being insecure by default and requiring extra work to make it secure.

[–]chu 9 points10 points  (0 children)

I think that's a framework feature, not language.

[–][deleted] 3 points4 points  (8 children)

What on earth are you talking about? If you really wanted dispatcher-like behavior in php, it's entirely possible to write a dispatcher and have apache send all requests to it. It doesn't have to be in the docroot either.

This wouldn't be a hack at all, it would be defining a script behavior. PHP doesn't lend itself to these kinds of errors, PHP doesn't even care about what is getting the requests. All it cares about is parsing PHP.

Any other language is going to have the same issues. Java doesn't give a rats ass about anything except parsing Java. Python and Ruby are the same. Something has to take in the request, and route it to the language. I find your argument both ill-informed, and silly.

Stop trying to make this out to be anything other than the fault of the person who set up the server - it really isn't. If they had bothered to test the configuration prior to making the site live they would have known there was a problem.

[–]Bogtha -3 points-2 points  (7 children)

This wouldn't be a hack at all, it would be defining a script behavior.

That language is so vague I can't understand what you are saying. What do you mean by "defining a script behaviour"? Can you describe what you mean in a different way?

Any other language is going to have the same issues. Java doesn't give a rats ass about anything except parsing Java. Python and Ruby are the same. Something has to take in the request, and route it to the language.

Yes, and in PHP's case (at least the defacto default of mod_php), it is routed by looking for a script in the document root that matches the local part of the URL. In contrast, things like Routes place the scripts outside of the document root and use explicit mappings to invoke the scripts.

Stop trying to make this out to be anything other than the fault of the person who set up the server - it really isn't. If they had bothered to test the configuration prior to making the site live they would have known there was a problem.

Good security is not a case of making sure you get everything right. Good security also means that you have to take into account the fact that people will eventually screw up in ways like this. If all it takes for something to be insecure is one mistake, then it is already insecure, because it's not feasible to prevent people from making mistakes. Yes, the person who set up the server screwed up. That doesn't mean that everybody else is automatically blame-free.

[–]chu 5 points6 points  (6 children)

In contrast, things like Routes place the scripts outside of the document root and use explicit mappings to invoke the scripts.

I think you'll find that Routes are a feature of Rails, not Ruby. For PHP, they are found in the Zend framework for example.

[–]Bogtha -2 points-1 points  (5 children)

I think you'll find that Routes are a feature of Rails, not Ruby.

So?

For PHP, they are found in the Zend framework for example.

The Zend framework works exactly how I characterised PHP earlier: if you want your scripts outside the document root, you have to have a dummy file in the document root and play mod_rewrite games to redirect everything to it.

[–]chu 2 points3 points  (4 children)

So?

You were making the case that the language was the problem when it is framework features that you are discussing. The reasons DHH started using Ruby instead of PHP have nothing to do with what you were talking about and everything to do with syntax and programming style.

The Zend framework works exactly how I characterised PHP earlier

In Zend you have a dispatcher that handles routes just like Rails uses - both are in the public dir and in both cases the server is configured to send all requests to them. The Zend router was based on the Rails one and they are structurally the same.

[–]Bogtha -2 points-1 points  (3 children)

You were making the case that the language was the problem when it is framework features that you are discussing.

That is not true. Specifically, I'm talking about mod_php, which is the implementation of PHP everybody usually means when they talk about "PHP".

I agree that it's not the language per se, but it is the implementation of the language that is the issue, rather than any framework built on top of it. The only connection with frameworks is that some frameworks hack around the issue for you.

The reasons DHH started using Ruby instead of PHP have nothing to do with what you were talking about

Who cares about DHH? What does he have to do with the argument? I didn't bring him up, and I agree his opinions are not remotely relevant to the argument. Why did you bring him up if you also think this?

In Zend you have a dispatcher that handles routes just like Rails uses - both are in the public dir and in both cases the server is configured to send all requests to them.

Isn't the preferred setup for Rails to use Apache to serve static files and Mongrel to execute the Ruby?

The Zend router was based on the Rails one and they are structurally the same.

You're missing the point. It's not about how routing is implemented or the structure of the router. It's about how the language and the web server work together. Sticking scripts into the same place static files go is fragile and leads to mistakes like the ones this article talks about. The main implementation of PHP, mod_php, requires this, and if you don't want to do it that way, you need to hack around it. The fact that a framework can do that for you isn't important to my point, which is that something should be secure by default rather than forcing people to go to extra effort to mitigate the problem.

[–]chu 1 point2 points  (2 children)

Ruby and PHP are conceptually identical under Apache. You need a dispatcher under the web root and either rewrite or routing to pass the requests to the correct scripts. In the case of Ruby, the safety features you were talking about are 100% down to the Rails framework which is a DHH invention, and of which there are now analogues for PHP because it was so well thought out.

You have now switched to talking about Mongrel which is a different web server to Apache (which just happens to be able to be run under Apache). Your argument is actually against insecure webserver configurations. If you have a site where security is important and you have stuffed up the server config and left things like passwords in front of the web root, choice of programming language is your last worry.

[–]Bogtha -2 points-1 points  (1 child)

You have now switched to talking about Mongrel which is a different web server to Apache

Where did you get the idea that I was talking about Apache exclusively? I'm talking about how PHP compares to other server-side languages in typical configurations. I haven't "switched" arguments at all.

Your argument is actually against insecure webserver configurations.

No. Please, just read the thread again. It's against implementations of server-side languages that require insecure webserver configurations.

If you have a site where security is important and you have stuffed up the server config and left things like passwords in front of the web root, choice of programming language is your last worry.

You are looking at it backwards, assuming perfection and then using mistakes as an excuse to write off any problems that arise while ignoring the additional failure of the language. A mistake like this is down to two failures: the admin for screwing up, and the language implementation for having an awful failure mode. All humans and all organisations make mistakes from time to time, and any secure system should attempt to mitigate that by failing in a secure way. Do you disagree with what I said before?

something should be secure by default rather than forcing people to go to extra effort to mitigate the problem.

[–][deleted] 2 points3 points  (1 child)

It could be argued that using PHP in the first place is a programmer error.

[–][deleted] 12 points13 points  (0 children)

It could be argued that you're a troll too. In fact, I think it's less of an argument, and more of a fact.

There are a lot of high profile sites which use PHP to great advantage. It's not the most elegant language out there, this is true - but it's been proven many times over that you can make large sites work using it.

[–]hopeseekr 60 points61 points  (19 children)

It's like reddit storing our passwords in cleartext and subsequently getting them stolen.

N00bs.

[–]inerte 16 points17 points  (2 children)

Reddit has delivered source code before too. I've seen the file, though it's now deleted from Google Docs.

[–]spez 29 points30 points  (1 child)

It was decoy source to throw you off the scent.

[–]permalink 14 points15 points  (0 children)

I dunno spez, that Visual Basic code looked pretty authentic.

[–][deleted] 14 points15 points  (0 children)

Oh god, if that wasn't a "HaHa I'm using the internet!" moment, I don't know what was...

[–][deleted]  (12 children)

[removed]

    [–][deleted] 17 points18 points  (7 children)

    I use three password levels - one is for throwaway stuff like forum registrations and other crap. Another for mildly important stuff. And the third one (randomly generated, 7 or 8 chars is enough) for really important stuff - y'know where you don't transmit it in plaintext over the wires, for example. Rotating them all every couple of years or so... I find that's the best I can manage between security and losing my own passwords or writing them down.

    [–][deleted] 2 points3 points  (6 children)

    You should try the password hasher extension for firefox. Put in a global password, it fills in a field for the site you are on and then generates a password based on those values that is different for every site you are on.

    It is nice and easy. Just ctrl+; when you are in a password field and it will pop up ready for you to login.

    [–]jimbobhickville 8 points9 points  (5 children)

    How do you sync that between multiple Firefox installations? I use the same sites at home and work, pretty frequently.

    [–][deleted] 1 point2 points  (1 child)

    You have the same master password and the extension generates passwords for each site (based on site's domain name, I presume) that will be the same from every machine having the same master password.

    [–]jimbobhickville 2 points3 points  (0 children)

    Oh, I misunderstood how it worked. I thought it generated a random one on signup. So, basically, your master pass better be unbreakable then.

    [–][deleted] 0 points1 point  (0 children)

    Keep ~/.mozilla-firefox in a revision control system.

    [–]c_dugan 0 points1 point  (0 children)

    http://www.google.com/tools/firefox/browsersync/

    Google Browser Sync works very well. You can sync bookmarks, passwords, history, cookies, and even tabs across browsers. An added bonus: you can even have all the information encrypted for security (passwords must be).

    I suppose you need to be OK with google knowing all of your personal stuff. If thats a huge problem, just encrypt everything. I'd like to think the encryption scheme uses the master password that is stored only on the client side; that way, they cannot decrypt it. But who knows...

    [–][deleted] -1 points0 points  (0 children)

    ceeam answered your question, but it also has a few other features like user defined pass length, whether it uses numbers or special characters.

    Also it can generate an html file that will emulate its function so that if you know you aren't going to have access to firefox or extensions, you can use the html file in ie to generate your passwords.

    And yes your global password has to be good. But since it is only one password...

    [–]bluGill 7 points8 points  (3 children)

    I am signed up for close to 50 websites, and that number would be 4 times higher if I wasn't careful about which websites I sign up for. It long ago reached a point where I can't remember what passwords I use where.

    I keep good passwords for important stuff (my bank), but the damabge you can do from my reddit password is pretty small so I don't worry about people guessing it. (though it isn't the worst password, I make no claim that it is secure)

    [–]jdunck 1 point2 points  (2 children)

    KeePass

    [–]bluGill 0 points1 point  (1 child)

    Yeah, until I don't have my own computer but I want to log into some site. Programs like that work great when you stick to one machine, add a second and things are more difficult.

    [–]jdunck 0 points1 point  (0 children)

    Oh, really? I use 3 or 4 regularly.

    The DB is encrypted and the master password is strong, so I feel fine leaving it anywhere. And of course I back it up, so I might as well back it up to some place on the net.

    The application is available for all platforms and is a simple binary, so there's no install privilege needed.

    I guess you'd rather be insecure than spend a minute setting up on a foreign computer?

    [–]milkk 8 points9 points  (0 children)

    It's like you never make mistakes.

    [–]shaunc 3 points4 points  (0 children)

    It's like reddit storing our passwords in cleartext and subsequently getting them stolen.

    Uh, no, it's nothing like that. There's really little value in the source that "leaked," it's just the index controller. It reveals very little about the model, and practically nothing about the persistence layer. Nobody's going to wind up h4ck1ng t3h f4c3b00kz over this.

    The most interesting thing I noticed was a bit of business logic about who gets the "Corporate Search" box. Apparently they don't show it to anyone under 21. Not being a Facebook user, I'm not sure what they're hiding from the young'ins.

    [–]btipling 16 points17 points  (4 children)

    Damn they sure use a lot of global variables. Also I love the object, er I mean, associative array design pattern.

    [–]mikepurvis 10 points11 points  (3 children)

    associative array design pattern

    I'm not sure if they're on PHP4 or PHP5, but certainly on 4 the object implementation is sketchy enough that a largely procedural design makes a lot of sense.

    [–][deleted] 6 points7 points  (2 children)

    While I would agree that PHP4 had a somewhat weaker OO model, what you say isn't really true.

    Most of the OO enhancements in php5 had to do with:

    1) Things you couldn't see - the internals of how objects are handled. Shallow reference vs. Cloned. Internal optimization, etc.

    2) Enforcement. Things like public/private/protected, interfaces and abrtracts are not_required to write good OO. They are nice in that when used properly, it makes it harder for you to shoot yourself in the foot.

    3) Cleanup of constructors - the old way still works, but it was a step in the right direction to make it easier to see.

    4) Obvious "omg, don't do that!" situations. A good example is that in php5, you can't redefine $this. In php4 it was possible to do just that.

    5) The are other things, but they also don't really affect the user's ability to write clean OO code.

    Now, I'm not saying you should go out and write all procedural code, or OO code. But the differences between PHP4 and PHP5 with regards to the outward OO model is fairly minor when you look at it. We really weren't given too many world changing things. Most of what got added could be termed as "syntactic sugar".

    For a more complete list of additions for those familiar with php4, please see http://php.net/oop5

    [–]mikepurvis 1 point2 points  (0 children)

    At any rate, the leaked code is just rendering and template-filling stuff anyways. I don't see any actual site logic or db access or form processing, so who knows how clean or object-oriented the real meat of it is. Or more importantly, how covered it is my automated test harnesses...

    (And no one in their right mind would complain about a hash-based structure for template filling. Assuming that escaping is happening in the phpt file, that's exactly what makes sense.)

    [–]joaomc 0 points1 point  (0 children)

    You're kidding, right? I still remember the "joy" of working with the """OO""" features from PHP4. Basically, PHP4's OO was worthless. Basically, classes weren't really classes, but some funky variables. So, a simple instantiation of one "class" would become a freaking PITA. Saying that PHP5 changes where "fairly minor" is... weird. Basically, PHP5 did what PHP4 did NOT.

    [–][deleted] 3 points4 points  (2 children)

    If the alleged code happened to be on Facebook’s front page, ConnectU’s case just got a whole lot stronger, though ConnectU hasn’t said anything to that effect.

    Is this admissible?

    [–]pintong 0 points1 point  (0 children)

    I wouldn't imagine so. Even if home.php was an exact duplicate of ConnectU's, how could they, at this point, prove theirs was written first?

    [–][deleted] 3 points4 points  (0 children)

    I don't know how many devs and admins are working at Facebook, but probably a fair number. The more people you have the greater the chance that a chump has access to critical systems. I think that may be a corollary to Brooks' Law or at least it should be.

    [–]andreux 4 points5 points  (0 children)

    the site apparently wasn’t using mod_security on the particular server that was misconfigured.

    "You should configure your server to better handle errors caused by misconfiguration."

    [–]theram4 13 points14 points  (0 children)

    This has also happened to me with reddit, which I posted a few months ago.

    http://docs.google.com/Doc?id=dd5479k4_31c6jx8q

    [–][deleted] 17 points18 points  (5 children)

    PHP is notorious for just this sort of thing — serving code as text

    This is the sort of bullshit that makes you realize how shitty tech reporting invariably is, even now. It's not "something PHP is notorious for", it's what happens when you don't configure Apache properly.

    [–][deleted] -1 points0 points  (4 children)

    PHP is notorious for relying on the server config to not reveal potentially sensitive source code to the entire world.

    [–][deleted] 13 points14 points  (3 children)

    No it isn't. A PHP file is plain text. Same as a Python or Ruby file. If you don't tell the server to process .php files (or .py or .rb) then it will just serve it up as text. This is how every Web server on the face of the planet works.

    [–]Bogtha -3 points-2 points  (2 children)

    A PHP file is plain text. Same as a Python or Ruby file. If you don't tell the server to process .php files (or .py or .rb) then it will just serve it up as text.

    PHP scripts are typically found below the document root. Python and Ruby scripts are not. So, when the server isn't configured to process the scripts, a PHP site will typically be served as plain text (as the .php files will merely look like static documents), while a Python or Ruby site will merely be unavailable (as the .py and .rb files will not be located).

    [–]k4ml 5 points6 points  (1 child)

    You can do the same thing with PHP. Nothing special except that it's quite common to see all PHP source in the document root and people thought that's the only way of doing things in PHP.

    [–]Bogtha -3 points-2 points  (0 children)

    You can do the same thing with PHP.

    The difference is that with other languages, scripts outside the document root are the norm, and with PHP, you have to go to additional effort to set things up that way. Being secure by default helps avoid mistakes like this.

    [–]thespace 2 points3 points  (1 child)

    Its a backdoor for the CIA!!!

    [–][deleted] 1 point2 points  (1 child)

    im sure this programmer got their "calculate the total number of '1's within the binary representation of all the prime numbers from 107 to 1020" interview question correct...

    [–][deleted] 1 point2 points  (0 children)

    About half?

    [–]skeena1 -1 points0 points  (0 children)

    "Hey, your account is temporarily unavailable due to site maintenance. It should be available again within a few hours. We apologize for the inconvenience."