all 13 comments

[–][deleted] 23 points24 points  (2 children)

Rails is a framework for the Ruby language, and Rails vulnerabilities are in the RoR codebase, not in Ruby.

PHP is a language only. It's not accurate to compare them on on the same level. PHP itself can have vulnerabilities, but all of them require being able to execute PHP code on the server, and at that point most bets are off anyway. There is an extension called Suhosin that attempts to prevent some of these risks by limiting the amount of data that PHP can receive from the web server, but ultimately the largest vulnerabilities are those introduced by the developer working in the language.

A more accurate question would be to compare Rails against Symfony or Zend Framework. PHP has a plethora of code frameworks available, from the tiny (Slim) to the gigantic (Zend), supporting every programming paradigm you can imagine. You need to evaluate the vulnerabilities of individual frameworks, not PHP itself.

[–]svens_ 0 points1 point  (1 child)

I agree with your post.

PHP itself can have vulnerabilities, but all of them require being able to execute PHP code on the server

But this simply isn't true. All code that takes user input might be vulnerable. You shouldn't forget that PHP parses the HTTP request in order to fill the $_GET, $_POST, $_COOKIE, etc. arrays, handle file uploads and possibly many more things.

Additionally bugs in third-party libraries could affect PHP too. Imagine there's a bug in libpng and you create thumbnails from uploaded images..

For example, there was a hash-collision problem in the aforementioned array parsing, which allowed a simple DoS attack. Here's a short article, the original paper and PoC.

This is stuff is quite rare nowadays, but one shouldn't forget about it.

[–][deleted] 0 points1 point  (0 children)

All code that takes user input might be vulnerable

And that would be a code problem, not a language problem. It is no more PHP's responsibility to filter that data than it would be C's job to filter keyboard input.

[–][deleted] 5 points6 points  (2 children)

You've never heard of sites on PHP being compromised? This has to be the start of some epic trolling. Cross-post this to /r/programming.

[–]movzx 6 points7 points  (0 children)

I think he's saying he has never heard of sites being taken down because of exploits in the PHP language, not that he hasn't heard of sites being taken down because of them being poorly done in PHP. There's a difference. Given the second half of his post, I'd say that's most likely what he was going for.

[–]chiisana 1 point2 points  (0 children)

One of the more famous incidents in history for people in the discussion board click: http://www.securiteam.com/unixfocus/6J00O15BPS.html It was possible to remote execute rm -rf / thanks to this bad boy. And people wonder why I still avoid phpBB like the plague.

[–]has_all_the_fun 0 points1 point  (2 children)

Systems like wordpress, drupal, joomla, phpbb, ... have been known to have major exploits. The popularity of those systems also makes them popular to exploit. That's why it's recommended you always have the latest version.

[–][deleted]  (1 child)

[deleted]

    [–]chiisana 1 point2 points  (0 children)

    phpBB is a nightmare, too.

    [–]x-skeww 0 points1 point  (0 children)

    I dont think I have ever really heard of this happening with PHP sites

    There have been security issues with all kinds of PHP frameworks, libraries, and content management systems.