[ic] Considering interchange

Mike Heins mike at perusion.com
Tue Mar 14 11:34:17 EST 2006


Quoting Stefan Hornburg (Racke) (racke at linuxia.de):
> Mike Heins wrote:
> > Quoting Mick Szucs (mick at scrapbookgraphics.com):
> > 
> >>Hello, all.
> >>
> >>The warning that this list is "high traffic" seems a little unfounded now.
> > 
> > 
> > I remember the warning -- we used to get 15,000 messages a year -- but
> > I forget where it is.
> > 
> > 
> >>I'm running a reasonably successful osCommerce site right now and I'm
> >>looking to move to something that, umm... sucks less.  Interchange seems
> >>to be flexible and well written, plus I *heart* Perl.
> > 
> > 
> > Welcome. I believe osCommerce and the success of PHP is probably one
> > of the reasons Interchange's mail list is not so busy any more. I have
> > never really looked at PHP carts, because I think security is generally
> > very poor on PHP. I know it is improving, but it still is a crack
> > waiting to happen.
> 
> I doubt that it makes sense to judge the "security" of a programming language.
> There were many problems in the past with badly written Perl CGI scripts as well.

You can make anything insecure. We have had our share of security holes
in Interchange.

> In fact, the concern is security of web applications or dynamic pages
> in general. The typical website owner downloads an application
> (nowadays often PHP), installs it and probably never updates it.

They don't update it because it is so difficult to do so. Since the
app is part of the page in most cases, you can't just update and
go. That is the first major problem with PHP.

> Malicious users can easily exploit said applications to get webserver
> rights on a host on known problems.
>

The reason I don't like PHP security is the architecture of permissions
and files. If, by default, it didn't allow opening files, it would go a
long way toward improving security. But as it stands, most installations
have world-writable directories which are in HTTP space. At that point,
any old script injection allows writing a file, and at that point you
are toast.

It is true there are ways in a default IC setup to do this, but
if you lock down the production server by splitting the admin to
a separate instance this is not true. In PHP it is inherent, and
you can write files throughout the filesystem.

Have you put up a new web server lately? Check your access logs
in the first day after you do. There are attempts to attack 
Mambo and the XMLRPC library within minutes.

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

Find the grain of truth in criticism, chew it, and swallow
it. -- anonymous


More information about the interchange-users mailing list